From d184c21994c67042aaa00000dd3ce46b66d568cb Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 5 Feb 2024 20:28:42 +0100
Subject: [PATCH] systemd: add extra capabilities when building with CLAT

Since 5.8, kernel requires CAP_BPF for processes that want to use
eBPF. CAP_PERFMON is also required for certain operations performed by
the BPF program.

Add the capabilities to the service unit when we are building with CLAT
support.
---
 data/NetworkManager.service.in | 2 +-
 meson.build                    | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 8cd2ac87a3..9181544e49 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -19,7 +19,7 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
 
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT @SERVICE_EXTRA_CAPABILITIES@
 
 ProtectSystem=true
 ProtectHome=read-only
diff --git a/meson.build b/meson.build
index 41aee2bfb8..da0adadc76 100644
--- a/meson.build
+++ b/meson.build
@@ -26,6 +26,7 @@ nm_micro_version = version_array[2].to_int()
 nm_id_prefix = 'NM'
 
 nm_gir_version = '1.0'
+service_extra_capabilities = []
 
 # Distribution version string
 dist_version = get_option('dist_version')
@@ -495,6 +496,12 @@ if enable_clat
   libbpf = dependency('libbpf', version: '>= 0.1.0', required: false)
   assert(libbpf.found(), 'You must have libbpf installed to build. Use -Dclat=false to disable use of it')
   libxdp = dependency('libxdp', version: '>= 0.1.0', required: false)
+  if 'CAP_BPF' not in service_extra_capabilities
+    service_extra_capabilities += 'CAP_BPF'
+  endif
+  if 'CAP_PERFMON' not in service_extra_capabilities
+    service_extra_capabilities += 'CAP_PERFMON'
+  endif
 endif
 config_h.set10('HAVE_CLAT', enable_clat)
 
@@ -963,6 +970,7 @@ data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
 data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
+data_conf.set('SERVICE_EXTRA_CAPABILITIES',              ' '.join(service_extra_capabilities))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@@ -1169,4 +1177,5 @@ output += '  vapi: ' + enable_vapi.to_string() + '\n'
 output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  clat: ' + enable_clat.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
+output += '  systemd service extra capabilities: ' + ', '.join(service_extra_capabilities) + '\n'
 message(output)