]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
projects / thirdparty / unbound.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1dcc88b)
Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service 82/head
authorPascal Ernster <github@hardfalcon.net>
Fri, 20 Sep 2019 04:47:56 +0000 (04:47 +0000)
committerGitHub <noreply@github.com>
Fri, 20 Sep 2019 04:47:56 +0000 (04:47 +0000)
Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.

contrib/unbound.service.in patch | blob | blame | history

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 5c512f1dc67cc2106ee091e34452aacd6863ac7b..c5f95c76c368ff2512d4bd752ede179dec370bd0 100644 (file)
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -13,7 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
Mirror of https://github.com/NLnetLabs/unbound.git