MT#55283 actually grant the capabilities

Capabilities listed in the ambient set must also be included in the bounding set. Change-Id: Iac8a97f6ba4f5446430ec2678092f768aeb8bb25 Related-to: I172bd30c9fbe488574e9cc015ba552e805c95fe6
2 years ago · 36a1fc36ad
parent 3a7a2d5a6d
commit 36a1fc36ad
3 changed files with 3 additions and 0 deletions
--- a/debian/ngcp-rtpengine-recording-daemon.service
+++ b/debian/ngcp-rtpengine-recording-daemon.service
@ -12,6 +12,7 @@ LimitNOFILE=100000
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 User=rtpengine
 Group=rtpengine
 ExecStart=/usr/bin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf
--- a/el/rtpengine-recording.service
+++ b/el/rtpengine-recording.service
@ -11,6 +11,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine-recording
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/rtpengine-recording.pid
 ExecStart=/usr/bin/rtpengine-recording --config-file=${CFG_FILE} --pidfile=${PID_FILE}
--- a/el/rtpengine.service
+++ b/el/rtpengine.service
@ -9,6 +9,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_NICE
 LimitNOFILE=150000
 RuntimeDirectory=rtpengine
 PIDFile=/run/rtpengine/rtpengine.pid