nsresourced: make sure "tun" driver is properly loaded and accessible

We need access to /dev/net/tun, hence make sure we can actually see
/dev/. Also make sure the module is properly loaded before we operate,
given that we run with limit caps. But then again give the CAP_NET_ADMIN
cap, since we need to configure the network tap/tun devices.

Follow-up for: 1365034727b3322e0adf371700cc540a1bcd95c1

diff --git a/units/systemd-nsresourced.service.in b/units/systemd-nsresourced.service.in
index 6ecfefc7cf174adb54cda1c9bddc0de8b6c16325..0e2d6b3628c3535dba62b58230768a0cef5a3e01 100644 (file)
--- a/units/systemd-nsresourced.service.in
+++ b/units/systemd-nsresourced.service.in
@@ -13,17 +13,20 @@ Documentation=man:systemd-nsresourced.service(8)
 Requires=systemd-nsresourced.socket
 Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
+Wants=modprobe@tun.service
+After=modprobe@tun.service
 DefaultDependencies=no
 
 [Service]
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER CAP_NET_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-nsresourced
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
-PrivateDevices=yes
+DevicePolicy=closed
+DeviceAllow=/dev/net/tun rwm
 ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes