dnsdist: Mention the need to allow CAP_BPF in the AppArmor policy in the unit file

author Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)
diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in

index bb11a26dd7e3c6e1f32d90bd9071f39cb673a451..5b2205345f15f87ce5c8aafa10373ddbec234f02 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -27,6 +27,8 @@ LimitNOFILE=16384
  # Sandboxing
  # Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support,
  # and CAP_NET_RAW to be able to set the source interface to contact a backend
+# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the
+# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough.
  CapabilityBoundingSet=CAP_NET_BIND_SERVICE
  AmbientCapabilities=CAP_NET_BIND_SERVICE
  LockPersonality=true
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 9 Aug 2022 16:05:01 +0000 (18:05 +0200)