From 4833f6d5db987c5976ac66715d35b5d767d4b486 Mon Sep 17 00:00:00 2001 From: Gavin Luo Date: Thu, 9 Feb 2023 13:30:43 +0800 Subject: [PATCH] Fix systemd service caps for process sniffing --- release/config/sing-box.service | 4 ++-- release/config/sing-box@.service | 4 ++-- release/local/sing-box.service | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/release/config/sing-box.service b/release/config/sing-box.service index 707efe5d..16ca0a32 100644 --- a/release/config/sing-box.service +++ b/release/config/sing-box.service @@ -5,8 +5,8 @@ After=network.target nss-lookup.target [Service] WorkingDirectory=/var/lib/sing-box -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json Restart=on-failure RestartSec=10s diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service index d6292a04..44925767 100644 --- a/release/config/sing-box@.service +++ b/release/config/sing-box@.service @@ -5,8 +5,8 @@ After=network.target nss-lookup.target [Service] WorkingDirectory=/var/lib/sing-box-%i -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json Restart=on-failure RestartSec=10s diff --git a/release/local/sing-box.service b/release/local/sing-box.service index 94fce13d..2ea74bf1 100644 --- a/release/local/sing-box.service +++ b/release/local/sing-box.service @@ -5,8 +5,8 @@ After=network.target nss-lookup.target [Service] WorkingDirectory=/var/lib/sing-box -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json Restart=on-failure RestartSec=10s