From 5a9784aa8c044df12b4cae8c464be0a3ba510efd Mon Sep 17 00:00:00 2001
From: Daniel Hovie <dhaavi@users.noreply.github.com>
Date: Thu, 27 Jul 2023 17:09:30 +0200
Subject: [PATCH] Add capabilities to systemd service for eBPF

---
 linux/portmaster.service | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux/portmaster.service b/linux/portmaster.service
index af25a31..c69a9ff 100644
--- a/linux/portmaster.service
+++ b/linux/portmaster.service
@@ -32,8 +32,8 @@ ProtectKernelTunables=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
 PrivateDevices=yes
-AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
-CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
+AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
+CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid cap_sys_resource cap_bpf cap_perfmon
 # SystemCallArchitectures=native
 # SystemCallFilter=@system-service @module
 # SystemCallErrorNumber=EPERM