Set CapabiltyBoundingSet again

2026-03-14 12:45:47 +01:00 · 2026-02-12 12:00:00 +01:00 · 2026-02-12 12:00:00 +01:00 · a8cd1af78d
commit a8cd1af78d
parent 2f57f73ac9
2 changed files with 3 additions and 2 deletions
--- a/src/concepts/plugin.rs
+++ b/src/concepts/plugin.rs
@ -53,6 +53,8 @@ fn systemd_default_options(working_directory: &str) -> BTreeMap<String, Vec<Stri
            // Various Protections
            ("LockPersonality", vec!["true"]),
            ("NoNewPrivileges", vec!["true"]),
+            ("AmbientCapabilities", vec![""]),
+            ("CapabilityBoundingSet", vec![""]),
            // Isolate File
            ("RemoveIPC", vec!["true"]),
            ("RestrictNamespaces", vec!["true"]),
@ -67,7 +69,6 @@ fn systemd_default_options(working_directory: &str) -> BTreeMap<String, Vec<Stri
            // ("DynamicUser", vec!["true"]),
            // ("User", vec!["reaction-plugin-test"]),
            // Too restrictive
-            // ("CapabilityBoundingSet", vec![""]),
            // ("NoExecPaths", vec!["/"]),
            // ("RestrictAddressFamilies", vec![""]),
        ]
--- a/tests/test-conf/test-ipset.jsonnet
+++ b/tests/test-conf/test-ipset.jsonnet
@ -13,7 +13,7 @@
      path: './target/debug/reaction-plugin-ipset',
      check_root: false,
      systemd_options: {
-        AmbientCapabilities: ['CAP_NET_ADMIN'],
+        CapabilityBoundingSet: ['~CAP_NET_ADMIN', '~CAP_PERFMON'],
      },
    },
  },