systemd: add chroot capability

CAP_SYS_CHROOT is needed for openvpn hardening.
2025-12-31 16:00:12 +01:00 · 2016-01-22 22:11:07 +01:00 · 2016-01-22 22:11:07 +01:00 · ba24a12739
commit ba24a12739
parent 1408b8c0a2
1 changed files with 1 additions and 1 deletions
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -12,7 +12,7 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 ProtectSystem=true
 ProtectHome=read-only