MT#55283 actually grant the capabilities

Capabilities listed in the ambient set must also be included in the bounding set. Change-Id: Iac8a97f6ba4f5446430ec2678092f768aeb8bb25 Related-to: I172bd30c9fbe488574e9cc015ba552e805c95fe6
sipwise · Sep 6, 2023 · 8d6e649 · 8d6e649
1 parent 2aa8520
commit 8d6e649
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/debian/ngcp-rtpengine-recording-daemon.service b/debian/ngcp-rtpengine-recording-daemon.service
@@ -12,6 +12,7 @@ LimitNOFILE=100000
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 User=rtpengine
 Group=rtpengine
 ExecStart=/usr/bin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf

diff --git a/el/rtpengine-recording.service b/el/rtpengine-recording.service
@@ -11,6 +11,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine-recording
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/rtpengine-recording.pid
 ExecStart=/usr/bin/rtpengine-recording --config-file=${CFG_FILE} --pidfile=${PID_FILE}

diff --git a/el/rtpengine.service b/el/rtpengine.service
@@ -9,6 +9,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_NICE
 LimitNOFILE=150000
 RuntimeDirectory=rtpengine
 PIDFile=/run/rtpengine/rtpengine.pid