From 2e5e75305454e49b12583571f0a3383cc0d62a54 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Wed, 10 Jan 2018 14:05:53 +0100
Subject: [PATCH] systemd: enable manual activation of kresd.service as
 non-root user

To be able to bind to a well known port as a non-root user, the CAP_NET_BIND_SERVICE
capability is required.
---
 systemd/kresd.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/systemd/kresd.service b/systemd/kresd.service
index 202240136..fdf75746d 100644
--- a/systemd/kresd.service
+++ b/systemd/kresd.service
@@ -9,6 +9,8 @@ EnvironmentFile=-/etc/default/kresd
 ExecStart=/usr/sbin/kresd $KRESD_ARGS
 User=knot-resolver
 Restart=on-failure
+# CAP_NET_BIND_SERVICE capability is needed for manual service activation
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=sockets.target
-- 
2.47.3