fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-08 13:38:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

systemd: add extra capabilities when building with CLAT

Browse source 
Since 5.8, kernel requires CAP_BPF for processes that want to use
eBPF. CAP_PERFMON is also required for certain operations performed by
the BPF program.

Add the capabilities to the service unit when we are building with CLAT
support.
This commit is contained in:
Beniamino Galvani 2024-02-05 20:28:42 +01:00
parent cfeee6d26b
commit d184c21994
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
data/NetworkManager.service.in
View file

@ -19,7 +19,7 @@ KillMode=process
# With a huge number of interfaces, starting can take a long time. # With a huge number of interfaces, starting can take a long time.
TimeoutStartSec=600 TimeoutStartSec=600
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT @SERVICE_EXTRA_CAPABILITIES@
ProtectSystem=true ProtectSystem=true
ProtectHome=read-only ProtectHome=read-only

9
meson.build
View file

@ -26,6 +26,7 @@ nm_micro_version = version_array[2].to_int()
nm_id_prefix = 'NM' nm_id_prefix = 'NM'
nm_gir_version = '1.0' nm_gir_version = '1.0'
service_extra_capabilities = []
# Distribution version string # Distribution version string
dist_version = get_option('dist_version') dist_version = get_option('dist_version')
@ -495,6 +496,12 @@ if enable_clat
libbpf = dependency('libbpf', version: '>= 0.1.0', required: false) libbpf = dependency('libbpf', version: '>= 0.1.0', required: false)
assert(libbpf.found(), 'You must have libbpf installed to build. Use -Dclat=false to disable use of it') assert(libbpf.found(), 'You must have libbpf installed to build. Use -Dclat=false to disable use of it')
libxdp = dependency('libxdp', version: '>= 0.1.0', required: false) libxdp = dependency('libxdp', version: '>= 0.1.0', required: false)
if 'CAP_BPF' not in service_extra_capabilities
service_extra_capabilities += 'CAP_BPF'
endif
if 'CAP_PERFMON' not in service_extra_capabilities
service_extra_capabilities += 'CAP_PERFMON'
endif
endif endif
config_h.set10('HAVE_CLAT', enable_clat) config_h.set10('HAVE_CLAT', enable_clat)
@ -963,6 +970,7 @@ data_conf.set('NM_MAJOR_VERSION', nm_major_version)
data_conf.set('NM_MICRO_VERSION', nm_micro_version) data_conf.set('NM_MICRO_VERSION', nm_micro_version)
data_conf.set('NM_MINOR_VERSION', nm_minor_version) data_conf.set('NM_MINOR_VERSION', nm_minor_version)
data_conf.set('NM_MODIFY_SYSTEM_POLICY', (enable_modify_system ? 'yes' : 'auth_admin_keep')) data_conf.set('NM_MODIFY_SYSTEM_POLICY', (enable_modify_system ? 'yes' : 'auth_admin_keep'))
data_conf.set('SERVICE_EXTRA_CAPABILITIES', ' '.join(service_extra_capabilities))
data_conf.set('NM_VERSION', nm_version) data_conf.set('NM_VERSION', nm_version)
data_conf.set('VERSION', nm_version) data_conf.set('VERSION', nm_version)
data_conf.set('bindir', nm_bindir) data_conf.set('bindir', nm_bindir)
@ -1169,4 +1177,5 @@ output += ' vapi: ' + enable_vapi.to_string() + '\n'
output += ' ebpf: ' + enable_ebpf.to_string() + '\n' output += ' ebpf: ' + enable_ebpf.to_string() + '\n'
output += ' clat: ' + enable_clat.to_string() + '\n' output += ' clat: ' + enable_clat.to_string() + '\n'
output += ' readline: ' + with_readline + '\n' output += ' readline: ' + with_readline + '\n'
output += ' systemd service extra capabilities: ' + ', '.join(service_extra_capabilities) + '\n'
message(output) message(output)