From 6943cab6708761c64e8eb55f2d4bbc5660871ff3 Mon Sep 17 00:00:00 2001 From: sam-lunt Date: Sat, 21 Sep 2019 14:36:12 -0500 Subject: [PATCH] Add kill capability to systemd service file The ExecReload command calls kills on a process owned by the unbound user (or whatever user is configured). To do so, it needs the CAP_KILL capability. --- contrib/unbound.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index 6726f9d8c..334ab6d17 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -13,7 +13,7 @@ ExecReload=/bin/kill -HUP $MAINPID ExecStart=@UNBOUND_SBIN_DIR@/unbound -d NotifyAccess=main Type=notify -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_KILL MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true -- 2.47.2