From 8d6e649e7e9d33c8e9bf966f5c424926f37142b2 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 1 Sep 2023 08:07:51 -0400
Subject: [PATCH] MT#55283 actually grant the capabilities

Capabilities listed in the ambient set must also be included in the
bounding set.

Change-Id: Iac8a97f6ba4f5446430ec2678092f768aeb8bb25
Related-to: I172bd30c9fbe488574e9cc015ba552e805c95fe6
---
 debian/ngcp-rtpengine-recording-daemon.service | 1 +
 el/rtpengine-recording.service                 | 1 +
 el/rtpengine.service                           | 1 +
 3 files changed, 3 insertions(+)

diff --git a/debian/ngcp-rtpengine-recording-daemon.service b/debian/ngcp-rtpengine-recording-daemon.service
index 10dd70573..c0ed9a725 100644
--- a/debian/ngcp-rtpengine-recording-daemon.service
+++ b/debian/ngcp-rtpengine-recording-daemon.service
@@ -12,6 +12,7 @@ LimitNOFILE=100000
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 User=rtpengine
 Group=rtpengine
 ExecStart=/usr/bin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf
diff --git a/el/rtpengine-recording.service b/el/rtpengine-recording.service
index 2f9aacc2f..d518df881 100644
--- a/el/rtpengine-recording.service
+++ b/el/rtpengine-recording.service
@@ -11,6 +11,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine-recording
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
 RuntimeDirectory=rtpengine-recording
 PIDFile=/run/rtpengine-recording/rtpengine-recording.pid
 ExecStart=/usr/bin/rtpengine-recording --config-file=${CFG_FILE} --pidfile=${PID_FILE}
diff --git a/el/rtpengine.service b/el/rtpengine.service
index 9e1b6bde8..958021e80 100644
--- a/el/rtpengine.service
+++ b/el/rtpengine.service
@@ -9,6 +9,7 @@ EnvironmentFile=/etc/sysconfig/rtpengine
 User=ngcp-rtpengine
 Group=ngcp-rtpengine
 AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_NICE
 LimitNOFILE=150000
 RuntimeDirectory=rtpengine
 PIDFile=/run/rtpengine/rtpengine.pid