systemd: add chroot capability

CAP_SYS_CHROOT is needed for openvpn hardening.
author: Lubomir Rintel <lkundrak@v3.sk> 2016-01-22 22:11:07 +0100
committer: Lubomir Rintel <lkundrak@v3.sk> 2016-01-22 22:12:43 +0100
commit: ba24a127398310ccfe8ac2bc4a207805d3bb9818 (patch)
tree: fe910fdd01c918a3e086c171b004037450628f46 /data
parent: 1408b8c0a21105f3ea6d2e58d0fc03835f255d34 (diff)
download: NetworkManager-ba24a127398310ccfe8ac2bc4a207805d3bb9818.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index ba10eedc5f..ea98b95fca 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -12,7 +12,7 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 ProtectSystem=true
 ProtectHome=read-only
author	Lubomir Rintel <lkundrak@v3.sk>	2016-01-22 22:11:07 +0100
committer	Lubomir Rintel <lkundrak@v3.sk>	2016-01-22 22:12:43 +0100
commit	ba24a127398310ccfe8ac2bc4a207805d3bb9818 (patch)
tree	fe910fdd01c918a3e086c171b004037450628f46 /data
parent	1408b8c0a21105f3ea6d2e58d0fc03835f255d34 (diff)
download	NetworkManager-ba24a127398310ccfe8ac2bc4a207805d3bb9818.tar.gz