Set capabilities for nether process and binary.

Nether running as non-privileged user needs CAP_NET_ADMIN for netfilter
to work. Additionally it needs CAP_NET_RAW to restore firewall with
iptables.

Change-Id: Ieb358e8837769ffe2039c608be2361e2feec8a1c
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>

diff --git a/conf/systemd/nether.service.in b/conf/systemd/nether.service.in
index 4c38f6fd59ef7a741d63575990452e5599f5866a..ef26b16fdbba6765f5487effc5ad7778658cbc2e 100755 (executable)
--- a/conf/systemd/nether.service.in
+++ b/conf/systemd/nether.service.in
@@ -26,6 +26,9 @@ Restart=on-failure
 ExecReload=/bin/kill -HUP $MAINPID
 User=security_fw
 Group=security_fw
+SecureBits=keep-caps
+Capabilities=cap_net_admin,cap_net_raw=eip
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
 
 [Install]
 WantedBy=multi-user.target

diff --git a/packaging/nether.spec b/packaging/nether.spec
index 5775d7104c59c0e5ab9129449552dad58ba80801..e19c081863547477c4963e385ec0fbe151157aa2 100755 (executable)
--- a/packaging/nether.spec
+++ b/packaging/nether.spec
@@ -15,8 +15,7 @@ This is a network privilege enforcing service.
 
 %files
 %defattr(644,root,root,755)
-#%caps(cap_sys_admin,cap_mac_override=ei) 
-%attr(755,root,root) %{_bindir}/nether
+%caps(cap_net_admin,cap_net_raw=ei) %attr(755,root,root) %{_bindir}/nether
 %dir %{_sysconfdir}/nether
 %config %{_sysconfdir}/nether/file.policy
 %config %{_sysconfdir}/nether/nether.rules