From 81a9366f49646c8e8a9feef1bdcc383f1a23daf4 Mon Sep 17 00:00:00 2001
From: Michael Prokop <mprokop@sipwise.com>
Date: Mon, 27 Jun 2022 15:46:33 +0200
Subject: [PATCH] TT#182450 systemd hardening: mention required capabilities
 when running as root

Now that we run as non-root user by default, we didn't have
proper capabilities for still running under root user.
Document, what's required to do so.

NOTE: related to TT#157800 (rtpengine: run as non-root) and
TT#76552 (systemd hardening)

Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e
---
 debian/ngcp-rtpengine-daemon.service | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/debian/ngcp-rtpengine-daemon.service b/debian/ngcp-rtpengine-daemon.service
index 6dabaf348..9e84c5a75 100644
--- a/debian/ngcp-rtpengine-daemon.service
+++ b/debian/ngcp-rtpengine-daemon.service
@@ -54,6 +54,12 @@ SystemCallArchitectures=native
 
 # Limit set of capabilities
 CapabilityBoundingSet=
+# NOTE: when running rtpengine under root user (via User=root/Group=root), further capabilities are required:
+# * CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID => for ownership handling in e.g. /run/rtpengine/
+# * CAP_FOWNER => for chmod-ing e.g. /run/rtpengine/
+# * CAP_NET_ADMIN => for network-related operations
+# * CAP_SYS_NICE => for e.g. setpriority usage
+#CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_FOWNER CAP_NET_ADMIN CAP_SYS_NICE
 
 # Service process does not receive ambient capabilities
 # NOTE: we need caps for running as non-root user