Skip to content

Commit

Permalink
portable: drop explicit PrivateTmp=yes from profiles
Browse files Browse the repository at this point in the history 
It is already implied by DynamicUser=yes if not set, but dropping it
allows users to instead define TemporaryFileSystem=/tmp/ /var/tmp/
in their portable services, which has fewer side effects.
  • Loading branch information
@bluca
bluca committed May 8, 2024
1 parent 4954b4a commit 20c1844
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 3 deletions.
1 change: 0 additions & 1 deletion src/portable/profile/default/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \
CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectSystem=strict
Expand Down
1 change: 0 additions & 1 deletion src/portable/profile/nonetwork/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ RemoveIPC=yes
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \
CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectSystem=strict
Expand Down
1 change: 0 additions & 1 deletion src/portable/profile/strict/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ BindReadOnlyPaths=/etc/machine-id
DynamicUser=yes
RemoveIPC=yes
CapabilityBoundingSet=
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectSystem=strict
Expand Down

0 comments on commit 20c1844

Please sign in to comment.