units: set capability bounding set for syslog services

diff --git a/TODO b/TODO
index 5c4577e374094a47fd5550fd10115cd4ace2e118..326acaf837c7aadfe8c3d3d97402fac23a40a50c 100644 (file)
--- a/TODO
+++ b/TODO
@@ -25,12 +25,18 @@ F15:
 * don't trim empty cgroups
   https://bugzilla.redhat.com/show_bug.cgi?id=678555
 
-* drop cap bounding set in logger, hostnamed, readahead, ...
-
 * make anaconda write timeout=0 for encrypted devices
 
+* Fix assert http://lists.freedesktop.org/archives/systemd-devel/2011-April/001910.html
+
 Features:
 
+* maybe lower default timeout to 2min?
+
+* GC unreferenced jobs (such as .device jobs)
+
+* support wildcard expansion in ListeStream= and friends
+
 * Add ListenSpecial to .socket units for /proc/kmsg and similar friends?
 
 * avoid DefaultStandardOutput=syslog to have any effect on StandardInput=socket services
@@ -205,6 +211,8 @@ Features:
 
 * allow runtime changing of log level and target
 
+* drop cap bounding set in readahead and other services
+
 External:
 
 * udisks should not use udisks-part-id, instead use blkid. also not probe /dev/loopxxx

diff --git a/units/systemd-kmsg-syslogd.service.in b/units/systemd-kmsg-syslogd.service.in
index aea75837344cef597e086b72704563ef5e888f5b..b20889e5e5e4cab9a1ebbef34b15cde3bba8bd85 100644 (file)
--- a/units/systemd-kmsg-syslogd.service.in
+++ b/units/systemd-kmsg-syslogd.service.in
@@ -16,3 +16,4 @@ ExecStart=@rootlibexecdir@/systemd-kmsg-syslogd
 NotifyAccess=all
 StandardOutput=null
 Sockets=syslog.socket
+CapabilityBoundingSet=CAP_DAC_OVERRIDE

diff --git a/units/systemd-logger.service.in b/units/systemd-logger.service.in
index 484df7a238ce060e30db98b08fed56e432da405c..5f7fe40939f6ac78a0674c75d6ed10257af61c30 100644 (file)
--- a/units/systemd-logger.service.in
+++ b/units/systemd-logger.service.in
@@ -17,3 +17,4 @@ After=syslog.socket
 ExecStart=@rootlibexecdir@/systemd-logger
 NotifyAccess=all
 StandardOutput=null
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID