From: Ruben Kerkhof Date: Wed, 9 Sep 2015 16:52:26 +0000 (+0200) Subject: systemd: drop all capabilities by default X-Git-Tag: collectd-5.6.0~591^2 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=e9ad0b82b3620ba9ed6754e9324f9d2b9ff027c3;p=collectd.git systemd: drop all capabilities by default dns and ping need CAP_NET_RAW, iptables needs CAP_NET_ADMIN so leave those commented out in the .service file. --- diff --git a/contrib/systemd.collectd.service b/contrib/systemd.collectd.service index 50820bd7..0e758e40 100644 --- a/contrib/systemd.collectd.service +++ b/contrib/systemd.collectd.service @@ -10,6 +10,15 @@ EnvironmentFile=-/etc/default/collectd ProtectSystem=full ProtectHome=true +# drop all capabilities: +CapabilityBoundingSet= +# use this instead if you use the dns or ping plugin +#CapabilityBoundingSet=CAP_NET_RAW +# turn this on if you use the iptables next to the dns or ping plugin +#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN + +NoNewPrivileges=true + # Tell systemd it will receive a notification from collectd over it's control # socket once the daemon is ready. See systemd.service(5) for more details. Type=notify