From 74bef8b09c41bbdf1d40e65a121fbf0e79665604 Mon Sep 17 00:00:00 2001
From: Lukas1811 <40807034+Lukas1811@users.noreply.github.com>
Date: Thu, 24 Apr 2025 11:34:26 +0200
Subject: [PATCH] Added CAP_DAC_READ_SEARCH capability to systemd service file

With the old CapabilityBoundingSet the systemd service is not capable of loading (actually searching for) all permissions in the /etc/usbguard/rules.d folder.
Adding CAP_DAC_READ_SEARCH allows the daemon running in a service to load rules from the rules folder.
---
 usbguard.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usbguard.service.in b/usbguard.service.in
index 1c131884..138a5a2d 100644
--- a/usbguard.service.in
+++ b/usbguard.service.in
@@ -6,7 +6,7 @@ Documentation=man:usbguard-daemon(8)
 [Service]
 OOMScoreAdjust=-1000
 AmbientCapabilities=
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH
 DevicePolicy=closed
 ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
 IPAddressDeny=any