From 11f0aaa166015cf796a0d8d8413b6eb0fe381e35 Mon Sep 17 00:00:00 2001
From: Kairui Song <kasong@redhat.com>
Date: Fri, 30 Jul 2021 22:38:46 +0800
Subject: [PATCH] drop NoNewPrivs from irqbalance service

Resolves: rhbz1963152

Signed-off-by: Kairui Song <kasong@redhat.com>
---
 ...p-NoNewPrivs-from-irqbalance-service.patch | 31 +++++++++++++++++++
 irqbalance.spec                               |  3 ++
 2 files changed, 34 insertions(+)
 create mode 100644 irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch

diff --git a/irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch b/irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch
new file mode 100644
index 0000000..63cc6f4
--- /dev/null
+++ b/irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch
@@ -0,0 +1,31 @@
+From 43751dfc7f29fbf2c46ffcd4fdb6d3f6db291927 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@gmail.com>
+Date: Wed, 12 May 2021 09:26:10 -0400
+Subject: [PATCH] drop NoNewPrivs from irqbalance service
+
+A recent update to libcapng is issuing an error in the system log,
+caused by the fact that irqbalance attempts to drop capabilities when
+the systemd service unit has already done so for us.  Since irqbalance
+drops the caps correctly, theres really no need for us to do so via
+systemd as well.  So lets drop NoNewCaps in the service unit.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+---
+ misc/irqbalance.service | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/misc/irqbalance.service b/misc/irqbalance.service
+index e7a3336..014798c 100644
+--- a/misc/irqbalance.service
++++ b/misc/irqbalance.service
+@@ -9,7 +9,6 @@ EnvironmentFile=-/usr/lib/irqbalance/defaults.env
+ EnvironmentFile=-/path/to/irqbalance.env
+ ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
+ CapabilityBoundingSet=
+-NoNewPrivileges=yes
+ ReadOnlyPaths=/
+ ReadWritePaths=/proc/irq
+ RestrictAddressFamilies=AF_UNIX
+-- 
+2.31.1
+
diff --git a/irqbalance.spec b/irqbalance.spec
index 333c05f..3140318 100644
--- a/irqbalance.spec
+++ b/irqbalance.spec
@@ -23,12 +23,15 @@ Requires: numactl-libs
 
 ExcludeArch: s390 s390x
 
+Patch1: irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch
+
 %description
 irqbalance is a daemon that evenly distributes IRQ load across
 multiple CPUs for enhanced performance.
 
 %prep
 %setup -q
+%patch1 -p1
 
 %build
 ./autogen.sh