Systemd sandbox breaks "inherit ownership" feature.

[agoeckner]

The changes in #10421 broke the "inherit ownership" setting. Files were unable to sync with the following error:

Failed to sync (path=FILENAME.zip error="syncing: finishing: setting metadata: copy owner from parent: lchown /path/.syncthing.FILENAME.zip.tmp: operation not permitted" folder.label="FOLDER LABEL" folder.id=abcde-abcde folder.type=sendreceive log.pkg=model)

To get syncing running again, I had to override the sandbox configuration's SystemCallFilter variable.

The below is my working configuration:

### Editing /etc/systemd/system/syncthing@admin.service.d/override.conf
### Anything between here and the comment below will become the contents of the drop-in file

[Service]
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
SystemCallFilter=@system-service chmod

### Edits below this comment will be discarded

I clearly allowed the wrong system call through the filter; I should have used chown instead of chmod.

However, this did resolve my sync issues. I suspect that syncing started working after this change because I inadvertently removed the ~@privileged filter when I overrode the SystemCallFilter.

Originally posted by @agoeckner in #10421 (comment)

[calmh]

This should have been fixed by #10602, but now I'm confused about the system call filter. I see there's discussion in the other PR, I'll let you all sort it out.

[Valloric]

(For posterity, there's relevant discussion in #10421; see #10421 (comment))

It looks like it's caused by an unexpected interaction between positive and negative system call filter groups, the call filter groups being non-disjoint sets, and the specific declaration order of the sets (which apparently is very significant).

I'll read through the systemd source code today/tomorrow and do some experiments to confirm the behavior.