From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 4 Jun 2024 14:28:31 +0000 (+0200)
Subject: dnsdist: Edit the systemd unit file, `CAP_BPF` is no longer enough
X-Git-Tag: rec-5.2.0-alpha0~31^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F14281%2Fhead;p=thirdparty%2Fpdns.git

dnsdist: Edit the systemd unit file, `CAP_BPF` is no longer enough

We used to be able to use only `CAP_BPF` since kernel 5.8, but the
eBPF verifier has been made more strict a few versions later and we
now require `CAP_SYS_ADMIN` again.
---

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index eb75e7632a..bd810fd912 100644
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -25,10 +25,10 @@ LimitNOFILE=16384
 # LimitMEMLOCK=infinity
 
 # Sandboxing
-# Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support,
+# Note: adding CAP_SYS_ADMIN is required to use eBPF support,
 # and CAP_NET_RAW to be able to set the source interface to contact a backend
 # If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the
-# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough.
+# capability: adding a 'capability sys_admin,' line to the policy is usually enough.
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LockPersonality=true