From 123c056f361426d8dfa735b519dd7b3a8491ebca Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 9 Aug 2022 18:05:01 +0200
Subject: [PATCH] dnsdist: Mention the need to allow CAP_BPF in the AppArmor
 policy in the unit file

---
 pdns/dnsdistdist/dnsdist.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index bb11a26dd7..5b2205345f 100644
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -27,6 +27,8 @@ LimitNOFILE=16384
 # Sandboxing
 # Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support,
 # and CAP_NET_RAW to be able to set the source interface to contact a backend
+# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the
+# capability: adding a 'capability bpf,' (for CAP_BPF) line to the policy is usually enough.
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LockPersonality=true
-- 
2.47.2