From: Pascal Ernster <github@hardfalcon.net>
Date: Fri, 20 Sep 2019 04:47:56 +0000 (+0000)
Subject: Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service
X-Git-Tag: release-1.9.6rc1~104^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F82%2Fhead;p=thirdparty%2Funbound.git

Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service

Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 5c512f1dc..c5f95c76c 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -13,7 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true