From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Tue, 28 Jan 2020 17:42:41 +0000 (+0100)
Subject: unbound.service.in: drop CAP_IPC_LOCK
X-Git-Tag: release-1.10.0rc1~31^2~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=939cf38576727ac2f52d3aacae4b446caad039e5;p=thirdparty%2Funbound.git

unbound.service.in: drop CAP_IPC_LOCK

CAP_IPC_LOCK controls whether a process can lock pages into physical
memory (for instance to prevent passwords or private keys from
being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or
shmctl() with the SHM_LOCK command, neither of which seem to be
used by unbound.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index e3361db59..ec6b3ba28 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -54,7 +54,7 @@ ExecReload=+/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
index 9e830cd21..a77df49fa 100644
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -28,7 +28,7 @@ ExecReload=+/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true