From ebe83f27bb11b70f6f08c2f5a1dd434551c0d29c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 5 Feb 2024 20:28:42 +0100
Subject: [PATCH] systemd: add CAP_BPF capability when building with eBPF
 support

Since 5.8, kernel requires CAP_BPF for processes that want to use
eBPF. CAP_BPF together with CAP_NET_ADMIN allows to load networking
eBPF programs (e.g. attach a filter to a socket).

Add the capability to the service unit when we are building with eBPF
support.
---
 Makefile.am                    | 1 +
 configure.ac                   | 5 +++++
 data/NetworkManager.service.in | 2 +-
 meson.build                    | 1 +
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 833e8046e9..77be3b24f2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -214,6 +214,7 @@ data_edit = sed \
 	-e 's|@localstatedir[@]|$(localstatedir)|g' \
 	-e 's|@libexecdir[@]|$(libexecdir)|g' \
 	-e 's|@DISTRO_NETWORK_SERVICE[@]|$(DISTRO_NETWORK_SERVICE)|g' \
+	-e 's|@SERVICE_EXTRA_CAPABILITIES[@]|$(SERVICE_EXTRA_CAPABILITIES)|g' \
 	-e 's|@NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT[@]|$(NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT)|g' \
 	-e 's|@NM_CONFIG_DEFAULT_LOGGING_BACKEND_TEXT[@]|$(NM_CONFIG_DEFAULT_LOGGING_BACKEND_TEXT)|g' \
 	-e 's|@NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT[@]|$(NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT)|g' \
diff --git a/configure.ac b/configure.ac
index 7ab652e788..93a615a085 100644
--- a/configure.ac
+++ b/configure.ac
@@ -578,6 +578,11 @@ else
 fi
 AM_CONDITIONAL(WITH_EBPF, test "${have_ebpf}" = "yes")
 
+if test "$have_ebpf" = "yes"; then
+	SERVICE_EXTRA_CAPABILITIES="$SERVICE_EXTRA_CAPABILITIES CAP_BPF"
+fi
+AC_SUBST(SERVICE_EXTRA_CAPABILITIES)
+
 # SELinux support
 AC_ARG_WITH(selinux,
             AS_HELP_STRING([--with-selinux=yes|no|auto], [Build with SELinux [default=auto]]),
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index f09ae86ceb..2d0c0f8207 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -20,7 +20,7 @@ KillMode=process
 TimeoutStartSec=600
 
 # CAP_DAC_OVERRIDE: required to open /run/openvswitch/db.sock socket.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT @SERVICE_EXTRA_CAPABILITIES@
 
 ProtectSystem=true
 ProtectHome=read-only
diff --git a/meson.build b/meson.build
index 177b0326b1..502d5dbac7 100644
--- a/meson.build
+++ b/meson.build
@@ -901,6 +901,7 @@ data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
 data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
+data_conf.set('SERVICE_EXTRA_CAPABILITIES',              (enable_ebpf ? 'CAP_BPF' : ''))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)