From bddfc8afd329ac68a23f66a3512d4e249af25191 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Mon, 2 Jun 2014 21:50:50 +0200 Subject: networkd: drop CAP_SYS_MODULE Rely on modules being built-in or autoloaded on-demand. As networkd is a network facing service, we want to limits its capabilities, as much as possible. Also, we may not have CAP_SYS_MODULE in a container, and we want networkd to work the same there. Module autoloading does not always work, but should be fixed by the kernel patch f98f89a0104454f35a: 'net: tunnels - enable module autoloading', which is currently in net-next and which people may consider backporting if they want tunneling support without compiling in the modules. Early adopters may also use a module-load.d snippet and order systemd-modules-load.service before networkd to force the module loading of tunneling modules. This sholud fix the various build issues people have reported. --- units/systemd-networkd.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'units') diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 33c3fca488..3538295df4 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,7 +19,7 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_MODULE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER WatchdogSec=1min [Install] -- cgit v1.2.3-54-g00ecf