From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
From: Sami Kerola <kerolasa@iki.fi>
Date: Wed, 3 Mar 2021 20:51:18 +0000
Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file

Quoting systemd.exec(5) manual page 'Specifically this means that the
process will have zero process capabilities on the host's user namespace'.
That does not combine will with CAP_NET_RAW that needs to take effect host's
namespace.

Secondly add CapabilityBoundingSet that is will ensure capabilities are
limited to the one and only capability it needs.

Fixes: https://github.com/iputils/iputils/issues/314
Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
---
 systemd/rdisc.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
index 4e2a1ec..6ef7fc3 100644
--- a/systemd/rdisc.service.in
+++ b/systemd/rdisc.service.in
@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
 ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
 
 AmbientCapabilities=CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_RAW
 PrivateTmp=yes
-PrivateUsers=yes
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
-- 
2.23.0