net-analyzer/suricata: tweak the systemd unit a bit

Some of the ideas I picked up from
https://gist.github.com/stupidpupil/4edcbe2046b3b22c81c606efee0492d7 do
not quite work at present, namely:
 - limiting capabilities to CAP_NET_ADMIN causes problems e.g. when
   switching to an unprivileged user or while trying to load eBPF files.
   Just get rid of it;
 - suricata can now be launched just fine without Type=forking.

Moreover, /run is now used instead of /var/run in the unit file so that
systemd doesn't complain about the use of legacy paths.

No revbump because even the updated unit does not run out of the box due
to specifying neither an interface nor a mode of operations on the
command line.

Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki@gentoo.org>

diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
index 5e617388018fac9a5614a1dd6318fc1c7653cb4e..294ec637348157ea190bbbf2a1f73fec27583710 100644 (file)
--- a/net-analyzer/suricata/files/suricata.service
+++ b/net-analyzer/suricata/files/suricata.service
@@ -6,11 +6,9 @@ Documentation=man:suricata(8) man:suricatasc(8)
 Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
 
 [Service]
-Type=forking
-Environment=OPTIONS='-c /etc/suricata/suricata.yaml'
-CapabilityBoundingSet=CAP_NET_ADMIN
-PIDFile=/var/run/suricata/suricata.pid
-ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS
+Environment=OPTIONS='-c /etc/suricata/suricata.yaml --af-packet'
+PIDFile=/run/suricata/suricata.pid
+ExecStart=/usr/bin/suricata --pidfile /run/suricata/suricata.pid $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStop=/bin/kill $MAINPID
 PrivateTmp=yes