From f4561e51a8890a6d45da36207ea605f240fa6301 Mon Sep 17 00:00:00 2001
From: Rem01Gaming <Rem01_Gaming@proton.me>
Date: Sun, 25 Aug 2024 11:02:13 +0700
Subject: [PATCH] templates/kernelmanager.root: Adjust capabilities (#1948)

* Following capabilities are removed as not commonly used on Kernel
Managers:
 - CAP_SYS_NICE
 - CAP_PERFMON
 - CAP_SYS_MODULE
 - CAP_SYS_RESOURCE

* Added CAP_DAC_OVERRIDE to prevent read/write permission issues

Signed-off-by: Rem01Gaming <Rem01_Gaming@proton.me>
---
 website/docs/public/templates/kernelmanager.root | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/website/docs/public/templates/kernelmanager.root b/website/docs/public/templates/kernelmanager.root
index 899e0d64e05d..3973dd1d5972 100644
--- a/website/docs/public/templates/kernelmanager.root
+++ b/website/docs/public/templates/kernelmanager.root
@@ -10,13 +10,10 @@
         "READPROC"
     ],
     "capabilities":[
-        "CAP_SYS_MODULE",
-        "CAP_SYS_NICE",
-        "CAP_SYS_RESOURCE",
         "CAP_KILL",
         "CAP_SYSLOG",
-        "CAP_PERFMON",
-        "CAP_SYS_BOOT"
+        "CAP_SYS_BOOT",
+        "CAP_DAC_OVERRIDE"
     ],
     "context":"u:r:su:s0",
     "namespace":"INHERITED",