From aed83600026f31211d26a41de094429aaca4c8fc Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Mon, 27 Feb 2023 15:48:37 +0100
Subject: [PATCH] more permissions in mox.service to ease with upgrade to
 v0.0.2

- CAP_FSETID looks needed to make accessing setgid dirs work.
- CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH are needed to access the existing config/mox.conf.
- CAP_FOWNER seems needed to chmod the config/ and data/ files.
- RestrictSUIDSGID=yes has to be off for chmod to work
---
 mox.service | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mox.service b/mox.service
index 10b5f24..1d870a2 100644
--- a/mox.service
+++ b/mox.service
@@ -22,11 +22,10 @@ ReadWritePaths=/home/mox/config /home/mox/data
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
 AmbientCapabilities=
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
 NoNewPrivileges=yes
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
 ProtectProc=invisible
-RestrictSUIDSGID=yes
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RemoveIPC=yes
@@ -40,6 +39,9 @@ DevicePolicy=closed
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 
+# Cannot have RestrictSUIDSGID with setgid directories.
+#RestrictSUIDSGID=yes
+
 # prevents CAP_NET_BIND_SERVICE from working?
 #PrivateUsers=yes