drop NoNewPrivs from irqbalance service

Resolves: rhbz1963152

Signed-off-by: Kairui Song <kasong@redhat.com>

irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch

@@ -0,0 +1,31 @@
+From 43751dfc7f29fbf2c46ffcd4fdb6d3f6db291927 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@gmail.com>
+Date: Wed, 12 May 2021 09:26:10 -0400
+Subject: [PATCH] drop NoNewPrivs from irqbalance service
+
+A recent update to libcapng is issuing an error in the system log,
+caused by the fact that irqbalance attempts to drop capabilities when
+the systemd service unit has already done so for us.  Since irqbalance
+drops the caps correctly, theres really no need for us to do so via
+systemd as well.  So lets drop NoNewCaps in the service unit.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+---
+ misc/irqbalance.service | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/misc/irqbalance.service b/misc/irqbalance.service
+index e7a3336..014798c 100644
+--- a/misc/irqbalance.service
++++ b/misc/irqbalance.service
+@@ -9,7 +9,6 @@ EnvironmentFile=-/usr/lib/irqbalance/defaults.env
+ EnvironmentFile=-/path/to/irqbalance.env
+ ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
+ CapabilityBoundingSet=
+-NoNewPrivileges=yes
+ ReadOnlyPaths=/
+ ReadWritePaths=/proc/irq
+ RestrictAddressFamilies=AF_UNIX
+-- 
+2.31.1
+

irqbalance.spec

@@ -23,12 +23,15 @@ Requires: numactl-libs
 
 ExcludeArch: s390 s390x
 
+Patch1: irqbalance-1.8.0-drop-NoNewPrivs-from-irqbalance-service.patch
+
 %description
 irqbalance is a daemon that evenly distributes IRQ load across
 multiple CPUs for enhanced performance.
 
 %prep
 %setup -q
+%patch1 -p1
 
 %build
 ./autogen.sh