diff options
author | Austin S. Hemmelgarn <austin@netdata.cloud> | 2020-07-20 19:59:20 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-21 09:59:20 +1000 |
commit | 2d2a270ec42e83ccdefa7f15ed3f8a030246645e (patch) | |
tree | c4cd84f47af0a448f1bda318e0dbc87759a66119 /system | |
parent | 092f00abc3de132f667bb682f36dddce4824d5ae (diff) |
Add CAP_SYS_RESOURCE to capability bounding set. (#9569)
This mitigates failures in the eBPF plugin. The issue is a `setrlimi()`
call we're making to allow us to call `memlock()`. The proper fix here
is dependent on whether we can prove that we actually need to call
`memlock()` or not (I suspect we do not _need_ to but it improves
measurement accuracy, in which case it should be optional). If we can,
then this is also a fix and not a mitigation. If we can't, then the fix
is to get rid of those calls in the eBPF plugin and remove this othewise
unneeded capability from our bounding set.
Diffstat (limited to 'system')
-rw-r--r-- | system/netdata.service.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in index ccbd1cdf7f..89755146c2 100644 --- a/system/netdata.service.in +++ b/system/netdata.service.in @@ -51,6 +51,7 @@ CapabilityBoundingSet=CAP_FOWNER # is required for freeipmi plugin CapabilityBoundingSet=CAP_SETPCAP # is required for apps, perf and slabinfo plugins CapabilityBoundingSet=CAP_SYS_ADMIN # is required for perf plugin CapabilityBoundingSet=CAP_SYS_PTRACE # is required for apps plugin +CapabilityBoundingSet=CAP_SYS_RESOURCE # is required for ebpf plugin CapabilityBoundingSet=CAP_NET_RAW # is required for fping app # Sandboxing |