I'm sorry about being late to the party, but now that 1.31 is out I've
discovered that this change seems to make OpenVPN not work. I had an
OpenVPN config file that works fine in 1.30 but not 1.31. Removing the
ProtectHome and ProtectSystem lines from the .service file allows
OpenVPN to work in 1.31.
I also have a functional PPTP config file and that works in both 1.30
and 1.31 without modification.
On 12/1/2015 8:32 AM, Patrik Flykt wrote:
Have systemd set /home and /run/users read only as VPN certificates
be stored also in these directories. Protect other directories in the
system by making also them read only. The directory options affect also
all VPN applications started by connman-vpnd.
Restrict capabilities to a subset necessary for normal operations.
ProtectSystem=full means the VPN applications cannot write anything to
/usr or /etc. Let's hope this works out for all VPN daemons.
vpn/connman-vpn.service.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
index 120245e..e98fb71 100644
@@ -6,6 +6,9 @@ Type=dbus
+CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW