From: Remi Gacogne Date: Tue, 9 Aug 2022 16:05:01 +0000 (+0200) Subject: dnsdist: Mention the need to allow CAP_BPF in the AppArmor policy in the unit file X-Git-Tag: rec-4.8.0-alpha1~43^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11839%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Mention the need to allow CAP_BPF in the AppArmor policy in the unit file --- diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in index bb11a26dd7..5b2205345f 100644 --- a/pdns/dnsdistdist/dnsdist.service.in +++ b/pdns/dnsdistdist/dnsdist.service.in @@ -27,6 +27,8 @@ LimitNOFILE=16384 # Sandboxing # Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support, # and CAP_NET_RAW to be able to set the source interface to contact a backend +# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the +# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough. CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE LockPersonality=true