From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Tue, 23 Sep 2025 11:00:50 +0000 (+0200)
Subject: unbound.service.in: allow CAP_NET_ADMIN
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fa6340cfa58390eba782024cf53fc565790bec88;p=thirdparty%2Funbound.git

unbound.service.in: allow CAP_NET_ADMIN

Allowing CAP_NET_ADMIN is necessary for SO_SNDBUFFORCE and SO_RCVBUFFORCE calls.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index cc8d0ed2d..45101f612 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -59,7 +59,7 @@ ExecReload=+/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_NET_ADMIN
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true