add CAP_NET_ADMIN

[limstash]

#2378

[unknowndevQwQ]

#2378

可以把 CAP_NET_ADMIN 放在最前面吗（

[limstash]

#2378

可以把 CAP_NET_ADMIN 放在最前面吗（

放前面了

[unknowndevQwQ]

#2378

可以把 CAP_NET_ADMIN 放在最前面吗（

放前面了

好的

[springzfx]

From here, tested good and works well with tproxy.

• No need for CAP_NET_RAW
• And please run without root
• AmbientCapabilities is the correct way, see man systemd.exec for detail

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

[unknowndevQwQ]

From here, tested good and works well with tproxy.

• No need for CAP_NET_RAW
• And please run without root
• AmbientCapabilities is the correct way, see man systemd.exec for detail

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

CapabilityBoundingSet 是用于限制能获取最多 cap 的，我个人不太清楚 nobody 最多能拿到多少 cap
至于 CAP_NET_RAW，有 CAP_NET_ADMIN 之后连 CAP_NET_BIND_SERVICE 都可以不需要事实证明，说这种话之前一定要好好看文档或者亲自执行一下
在之后彻底明白 AmbientCapabilities 与 CapabilityBoundingSet 的用法了

不过这个 pr 到现在都没合并就有点尴尬

[limstash]

From here, tested good and works well with tproxy.

• No need for CAP_NET_RAW
• And please run without root
• AmbientCapabilities is the correct way, see man systemd.exec for detail

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

CapabilityBoundingSet 是用于限制能获取最多 cap 的，我个人不太清楚 nobody 最多能拿到多少 cap
至于 CAP_NET_RAW，有 CAP_NET_ADMIN 之后连 CAP_NET_BIND_SERVICE 都可以不需要
在之后彻底明白 AmbientCapabilities 与 CapabilityBoundingSet 的用法了

不过这个 pr 到现在都没合并就有点尴尬

事实上 nobody 在我的电脑上并没有办法运行

[Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted

[springzfx]

事实上 nobody 在我的电脑上并没有办法运行

如果setcap过，需要删除
sudo setcap -r /usr/lib/v2ray/v2ray

－－－－－－－－－－－－－－－－－－－－－－－－－－－－
另外改为DynamicUser，可以进一步缩小权限：
https://github.com/springzfx/cgproxy/blob/06da4773731142966fbcd2c33a0e2760a7248ee3/v2ray_config/v2ray.service#L1-L18

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target


[Service]
Type=exec
ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
DynamicUser=yes
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

[springzfx]

CapabilityBoundingSet 是用于限制能获取最多 cap 的，我个人不太清楚 nobody 最多能拿到多少 cap
至于 CAP_NET_RAW，有 CAP_NET_ADMIN 之后连 CAP_NET_BIND_SERVICE 都可以不需要
在之后彻底明白 AmbientCapabilities 与 CapabilityBoundingSet 的用法了

不过这个 pr 到现在都没合并就有点尴尬

• 如果你需要so-mark, 那么只能 CAP_NET_ADMIN ＋ CAP_NET_BIND_SERVICE
• 否则CAP_NET_ADMIN/CAP_NET_RAW ＋ CAP_NET_BIND_SERVICE
  

[unknowndevQwQ]

CapabilityBoundingSet 是用于限制能获取最多 cap 的，我个人不太清楚 nobody 最多能拿到多少 cap
至于 CAP_NET_RAW，有 CAP_NET_ADMIN 之后连 CAP_NET_BIND_SERVICE 都可以不需要
在之后彻底明白 AmbientCapabilities 与 CapabilityBoundingSet 的用法了
不过这个 pr 到现在都没合并就有点尴尬

CAP_NET_ADMIN 和 CAP_NET_BIND_SERVICE是必须的

可能是我之前看错了（x

[unknowndevQwQ]

From here, tested good and works well with tproxy.

• No need for CAP_NET_RAW
• And please run without root
• AmbientCapabilities is the correct way, see man systemd.exec for detail

[Unit]
Description=V2Ray - A unified platform for anti-censorship
Documentation=https://v2ray.com https://guide.v2fly.org
After=network.target nss-lookup.target
Wants=network-online.target

[Service]
Type=exec
ExecStart=/usr/lib/v2ray/v2ray -config /etc/v2ray/config.json
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
Restart=on-failure
# Don't restart in the case of configuration error
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

CapabilityBoundingSet 是用于限制能获取最多 cap 的，我个人不太清楚 nobody 最多能拿到多少 cap
至于 CAP_NET_RAW，有 CAP_NET_ADMIN 之后连 CAP_NET_BIND_SERVICE 都可以不需要
在之后彻底明白 AmbientCapabilities 与 CapabilityBoundingSet 的用法了
不过这个 pr 到现在都没合并就有点尴尬

事实上 nobody 在我的电脑上并没有办法运行

[Info] v2ray.com/core/transport/internet: failed to apply socket options to incoming connection > v2ray.com/core/transport/internet: failed to set IP_TRANSPARENT > operation not permitted

现在看来是我记错了，刚刚用 capsh 发现确实需要 cap_net_bind_service我又眼花了

[unknowndevQwQ]

#2378

还是把 CAP_NET_BIND_SERVICE 加回去吧orz