From 39a004844532f7d82ea9d367338ccca4b535a14f Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 9 Nov 2022 21:15:11 +0100 Subject: [PATCH] systemd: disable non-working remaining sandboxing options (#2205) * systemd: use PrivateUsers= in user unit ProtectSystem= and other sandboxing options require a user namespace in order to work as user units (the user manager does not run as root and thus without a user namespace it is unable to perform mounts). --- contrib/systemd/onedrive.service.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/contrib/systemd/onedrive.service.in b/contrib/systemd/onedrive.service.in index a37103fb..f219f2ce 100644 --- a/contrib/systemd/onedrive.service.in +++ b/contrib/systemd/onedrive.service.in @@ -5,9 +5,11 @@ After=network-online.target Wants=network-online.target [Service] -# Commented out hardenings are disabled because they don't work out of the box. +# Commented out hardenings are disabled because they may not work out of the box on your distribution # If you know what you are doing please try to enable them. + ProtectSystem=full +PrivateUsers=true #PrivateDevices=true ProtectHostname=true #ProtectClock=true @@ -22,4 +24,4 @@ RestartSec=3 RestartPreventExitStatus=3 [Install] -WantedBy=default.target +WantedBy=default.target \ No newline at end of file