[PATCH] Add capability for port in restricted range.

[PATCH] Add capability for port in restricted range.

[Michael Johnson]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

This fixes an issue where the udp port was not being opened due to a
permission denied error. The result of this was the dhcp client would
fail to send the renewal request and so the dhcp lease would expire.

The addition of the CAP_NET_BIND_SERVICE capability allows the service
to open sockets in the restricted port range (<1024) which is required
for dhcp.
---
 src/iwd.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iwd.service.in b/src/iwd.service.in
index 96e4abac..ab0a5da7 100644
--- a/src/iwd.service.in
+++ b/src/iwd.service.in
@@ -11,7 +11,7 @@ ExecStart=@libexecdir@/iwd
 NotifyAccess=main
 LimitNPROC=1
 Restart=on-failure
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
 PrivateTmp=true
 NoNewPrivileges=true
 DevicePolicy=closed
-- 
2.25.1

Re: [PATCH] Add capability for port in restricted range.

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 571 bytes --]

Hi Michael,

On 6/29/21 11:07 AM, Michael Johnson wrote:
> This fixes an issue where the udp port was not being opened due to a
> permission denied error. The result of this was the dhcp client would
> fail to send the renewal request and so the dhcp lease would expire.
> 
> The addition of the CAP_NET_BIND_SERVICE capability allows the service
> to open sockets in the restricted port range (<1024) which is required
> for dhcp.
> ---
>   src/iwd.service.in | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

Applied, thanks.

Regards,
-Denis