Bug 1409586

Summary: Cannot modify CapabilityBoundingSet in drop-in file
Product: Red Hat Enterprise Linux 7 Reporter: Laurent Bigonville <bigon>
Component: systemdAssignee: Lukáš Nykrýn <lnykryn>
Status: CLOSED ERRATA QA Contact: Branislav Blaškovič <bblaskov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: bblaskov, carroarmato0, fsumsal, mscherer, systemd-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-219-31.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:12:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1383699, 1393867, 1400961    

Description Laurent Bigonville 2017-01-02 14:39:22 UTC 
Description of problem:
Hi,

I'm trying to override the CapabilityBoundingSet in a drop-in file but that doesn't seems to work. The upstream .service file is cleaning the set completely (CapabilityBoundingSet=) and in the drop-in file I'm trying to grant CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

Version-Release number of selected component (if applicable):
systemd-219-30.el7_3.6.x86_64

# systemctl cat collectd.service 
# /usr/lib/systemd/system/collectd.service
[Unit]
Description=Collectd statistics daemon
Documentation=man:collectd(1) man:collectd.conf(5)
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target

[Service]
ExecStart=/usr/sbin/collectd
EnvironmentFile=-/etc/sysconfig/collectd
EnvironmentFile=-/etc/default/collectd
ProtectSystem=full
ProtectHome=true

# A few plugins won't work without some privileges, which you'll have to
# specify using the CapabilityBoundingSet directive below.
#
# Here's a (incomplete) list of the plugins known capability requirements:
#   ceph            CAP_DAC_OVERRIDE
#   dns             CAP_NET_RAW
#   exec            CAP_SETUID CAP_SETGID
#   iptables        CAP_NET_ADMIN
#   ping            CAP_NET_RAW
#   turbostat       CAP_SYS_RAWIO
#
# Example, if you use the iptables plugin alongside the dns or ping plugin:
#CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
#
# By default, drop all capabilities:
CapabilityBoundingSet=

NoNewPrivileges=true

# Tell systemd it will receive a notification from collectd over it's control
# socket once the daemon is ready. See systemd.service(5) for more details.
Type=notify

# Restart the collectd daemon when it fails.
Restart=on-failure

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]

CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

==========

# systemctl show -p CapabilityBoundingSet collectd.service 
CapabilityBoundingSet=0

==========


Somebody confirmed on IRC that it was working on Arch with version 232
Comment 1 Lukáš Nykrýn 2017-01-02 15:08:01 UTC 
Looks like https://github.com/systemd/systemd/issues/1221

We should look to these upstream patches and backport them if necessary.

cf677fe core/execute: add the magic character '!' to allow privileged execution (#3493)
661b37b core: fix capability bounding set parsing
b9d345b core: fix CapabilityBoundingSet merging
Comment 2 Lukáš Nykrýn 2017-01-02 15:08:58 UTC 
> cf677fe core/execute: add the magic character '!' to allow privileged
> execution (#3493)

Probably not this one.
Comment 3 Christophe Vanlancker 2017-01-03 09:19:06 UTC 
Same problem with:

# /etc/systemd/system/collectd.service.d/capabilities.conf
[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
Comment 4 Lukáš Nykrýn 2017-01-03 11:42:02 UTC 
https://github.com/lnykryn/systemd-rhel/pull/72
Comment 5 Lukáš Nykrýn 2017-01-03 16:34:36 UTC 
*** Bug 1381057 has been marked as a duplicate of this bug. ***
Comment 6 Lukáš Nykrýn 2017-01-16 11:24:12 UTC 
fix merged to upstream staging branch ->
https://github.com/lnykryn/systemd-rhel/commit/13b70c13553c94c444f149bd086bd3e8d9cc39b6
https://github.com/lnykryn/systemd-rhel/commit/5c7d92d36bd1b608ccba0adc3fdc5446e6575623
-> post
Comment 9 errata-xmlrpc 2017-08-01 09:12:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2297