Add CAP_SYS_RESOURCE to capability bounding set. (#9569)

This mitigates failures in the eBPF plugin. The issue is a `setrlimi()` call we're making to allow us to call `memlock()`. The proper fix here is dependent on whether we can prove that we actually need to call `memlock()` or not (I suspect we do not _need_ to but it improves measurement accuracy, in which case it should be optional). If we can, then this is also a fix and not a mitigation. If we can't, then the fix is to get rid of those calls in the eBPF plugin and remove this othewise unneeded capability from our bounding set.
author: Austin S. Hemmelgarn <austin@netdata.cloud> 2020-07-20 19:59:20 -0400
committer: GitHub <noreply@github.com> 2020-07-21 09:59:20 +1000
commit: 2d2a270ec42e83ccdefa7f15ed3f8a030246645e (patch)
tree: c4cd84f47af0a448f1bda318e0dbc87759a66119 /system
parent: 092f00abc3de132f667bb682f36dddce4824d5ae (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/system/netdata.service.in b/system/netdata.service.in
index ccbd1cdf7f..89755146c2 100644
--- a/system/netdata.service.in
+++ b/system/netdata.service.in
@@ -51,6 +51,7 @@ CapabilityBoundingSet=CAP_FOWNER          # is required for freeipmi plugin
 CapabilityBoundingSet=CAP_SETPCAP         # is required for apps, perf and slabinfo plugins
 CapabilityBoundingSet=CAP_SYS_ADMIN       # is required for perf plugin
 CapabilityBoundingSet=CAP_SYS_PTRACE      # is required for apps plugin
+CapabilityBoundingSet=CAP_SYS_RESOURCE    # is required for ebpf plugin
 CapabilityBoundingSet=CAP_NET_RAW         # is required for fping app
 
 # Sandboxing
author	Austin S. Hemmelgarn <austin@netdata.cloud>	2020-07-20 19:59:20 -0400
committer	GitHub <noreply@github.com>	2020-07-21 09:59:20 +1000
commit	2d2a270ec42e83ccdefa7f15ed3f8a030246645e (patch)
tree	c4cd84f47af0a448f1bda318e0dbc87759a66119 /system
parent	092f00abc3de132f667bb682f36dddce4824d5ae (diff)