Fix systemd service caps for process sniffing

2023-02-09 13:30:43 +08:00 · 2023-02-09 13:30:43 +08:00 · 4833f6d5db
parent 9db3cb5cb7
commit 4833f6d5db
3 changed files with 6 additions and 6 deletions
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@ -5,8 +5,8 @@ After=network.target nss-lookup.target

 [Service]
 WorkingDirectory=/var/lib/sing-box
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@ -5,8 +5,8 @@ After=network.target nss-lookup.target

 [Service]
 WorkingDirectory=/var/lib/sing-box-%i
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
 Restart=on-failure
 RestartSec=10s
--- a/release/local/sing-box.service
+++ b/release/local/sing-box.service
@ -5,8 +5,8 @@ After=network.target nss-lookup.target

 [Service]
 WorkingDirectory=/var/lib/sing-box
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
 Restart=on-failure
 RestartSec=10s