fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-03-01 15:01:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

systemd: add CAP_BPF capability when building with eBPF support

Browse source 
Since 5.8, kernel requires CAP_BPF for processes that want to use
eBPF. CAP_BPF together with CAP_NET_ADMIN allows to load networking
eBPF programs (e.g. attach a filter to a socket).

Add the capability to the service unit when we are building with eBPF
support.
This commit is contained in:
Beniamino Galvani 2024-02-05 20:28:42 +01:00
parent 01354ce889
commit ebe83f27bb
4 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Makefile.am
View file

@ -214,6 +214,7 @@ data_edit = sed \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@libexecdir[@]|$(libexecdir)|g' \
-e 's|@DISTRO_NETWORK_SERVICE[@]|$(DISTRO_NETWORK_SERVICE)|g' \
-e 's|@SERVICE_EXTRA_CAPABILITIES[@]|$(SERVICE_EXTRA_CAPABILITIES)|g' \
-e 's|@NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT[@]|$(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT)|g' \
-e 's|@NM_CONFIG_DEFAULT_LOGGING_BACKEND_TEXT[@]|$(NM_CONFIG_DEFAULT_LOGGING_BACKEND_TEXT)|g' \
-e 's|@NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT[@]|$(NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT)|g' \

5
configure.ac
View file

@ -578,6 +578,11 @@ else
fi
AM_CONDITIONAL(WITH_EBPF, test "${have_ebpf}" = "yes")
if test "$have_ebpf" = "yes"; then
SERVICE_EXTRA_CAPABILITIES="$SERVICE_EXTRA_CAPABILITIES CAP_BPF"
fi
AC_SUBST(SERVICE_EXTRA_CAPABILITIES)
# SELinux support
AC_ARG_WITH(selinux,
AS_HELP_STRING([--with-selinux=yes|no|auto], [Build with SELinux [default=auto]]),

2
data/NetworkManager.service.in
View file

@ -20,7 +20,7 @@ KillMode=process
TimeoutStartSec=600
# CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT @SERVICE_EXTRA_CAPABILITIES@
ProtectSystem=true
ProtectHome=read-only

1
meson.build
View file

@ -901,6 +901,7 @@ data_conf.set('NM_MAJOR_VERSION', nm_major_version)
data_conf.set('NM_MICRO_VERSION', nm_micro_version)
data_conf.set('NM_MINOR_VERSION', nm_minor_version)
data_conf.set('NM_MODIFY_SYSTEM_POLICY', (enable_modify_system ? 'yes' : 'auth_admin_keep'))
data_conf.set('SERVICE_EXTRA_CAPABILITIES', (enable_ebpf ? 'CAP_BPF' : ''))
data_conf.set('NM_VERSION', nm_version)
data_conf.set('VERSION', nm_version)
data_conf.set('bindir', nm_bindir)