Allow CAP_DAC_OVERRIDE for the ohai collector

[chef.git] / cookbooks / hardware / recipes / default.rb

diff --git a/cookbooks/hardware/recipes/default.rb b/cookbooks/hardware/recipes/default.rb
index d8bfadbe5d18dc50c1821f086582fee4be1be738..a62288f22b98c78074671ae877d100b7b71a22a5 100644 (file)
--- a/cookbooks/hardware/recipes/default.rb
+++ b/cookbooks/hardware/recipes/default.rb
@@ -536,7 +536,7 @@ if disks.count.positive?
   prometheus_collector "smart" do
     interval "15m"
     user "root"
-    capability_bounding_set "CAP_SYS_ADMIN"
+    capability_bounding_set %w[CAP_SYS_ADMIN CAP_SYS_RAWIO]
     private_devices false
     private_users false
     protect_clock false
@@ -700,8 +700,9 @@ prometheus_collector "ohai" do
   interval "15m"
   user "root"
   proc_subset "all"
-  capability_bounding_set "CAP_SYS_ADMIN"
+  capability_bounding_set %w[CAP_SYS_ADMIN CAP_DAC_OVERRIDE]
   private_devices false
   private_users false
   protect_clock false
+  protect_kernel_modules false
 end