From e7e90f00028ef44f12b95bd4fa443f48954e6a9a Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Mon, 13 Mar 2023 11:03:50 +0000
Subject: [PATCH] dovecot: Add `chroot` in container

Dovecot will, by default, have login processes run under a limited
`chroot` environment. However, this broke recently with the update to
Podman 4.4.1 and the removal of implicit `CAP_CHROOT` capabilities.
This commit re-adds these in place.
---
 service/dovecot/systemd/dovecot.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/service/dovecot/systemd/dovecot.service b/service/dovecot/systemd/dovecot.service
index 3cf3788..48e5f53 100644
--- a/service/dovecot/systemd/dovecot.service
+++ b/service/dovecot/systemd/dovecot.service
@@ -11,6 +11,7 @@ SyslogIdentifier=%N
 Restart=on-failure
 Environment=PODMAN_SYSTEMD_UNIT=%n
 ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
+                          --cap-add SYS_CHROOT \
                           --env-file %E/coreos-home-server/%N/%N.env \
                           --env-file %E/coreos-home-server/rspamd/rspamd.env \
                           --publish 143:143 --publish 993:993 --publish 4190:4190 \