units: add more caps to machined

Otherwise copying full directory trees between container and host won't work, as we cannot access some fiels and cannot adjust the ownership properly on the destination. Of course, adding these many caps to the daemon kinda defeats the purpose of the caps lock-down... but well... Fixes #433
author: Lennart Poettering <lennart@poettering.net> 2015-07-27 17:45:45 +0200
committer: Lennart Poettering <lennart@poettering.net> 2015-07-27 17:45:45 +0200
commit: b242faae06034c981927f48a80817aae04e5e7ff (patch)
tree: 9c00ec584ae423fb59cd13eb8b1396ed8eeb27bf
parent: baee30afce50b611724e6c6a4ca61a4469b11d9d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 19c33959d6..fb1f383cdc 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -15,7 +15,7 @@ After=machine.slice
 [Service]
 ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
-CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID
 WatchdogSec=1min
 
 # Note that machined cannot be placed in a mount namespace, since it
author	Lennart Poettering <lennart@poettering.net>	2015-07-27 17:45:45 +0200
committer	Lennart Poettering <lennart@poettering.net>	2015-07-27 17:45:45 +0200
commit	b242faae06034c981927f48a80817aae04e5e7ff (patch)
tree	9c00ec584ae423fb59cd13eb8b1396ed8eeb27bf
parent	baee30afce50b611724e6c6a4ca61a4469b11d9d (diff)