Use systemd service capabilities instead of setcap

Setcap causes problems (like issue #1007), so stop using it (and undo
the permission override on upgrade) and instead set capabilities via the
systemd services.

(This also fixes some AssertFileNotEmpty declarations that were in the
wrong places).

debian/lokinet-bin.postinst

@@ -18,15 +18,17 @@ if [ "$1" = configure ]; then
         adduser --force-badname --quiet _lokinet _loki
     fi
 
-    if ! dpkg-statoverride --list /usr/bin/lokinet >/dev/null 2>&1; then
-        dpkg-statoverride --update --add root _loki 750 /usr/bin/lokinet
+    # Before 0.6.2-3 the deb's setcap'ed the binary and used restrictive permissions and ownership
+    # to protect invocation; from 0.6.2-3 onwards we do the capabilities via the systemd service
+    # file, so if we are upgrading from an older version remove the stat override.  (Otherwise do
+    # nothing in case the local admin does a statoverride).
+    if dpkg --compare-versions "$2" lt '0.6.2-3~'; then
+        if dpkg-statoverride --list /usr/bin/lokinet >/dev/null 2>&1; then
+            dpkg-statoverride --remove /usr/bin/lokinet
+            chown root:root /usr/bin/lokinet
+            chmod 755 /usr/bin/lokinet
+        fi
     fi
-
-    if ! setcap cap_net_admin,cap_net_bind_service=+eip /usr/bin/lokinet; then
-        echo "failed to setcap lokinet" >&2
-        exit 1
-    fi
-
 fi
 
 #DEBHELPER#

debian/lokinet-router.lokinet-router.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=LokiNET: Anonymous Network layer thingydoo, router
+AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed
 Wants=network-online.target
 After=network-online.target
 
@@ -7,7 +8,8 @@ After=network-online.target
 User=_lokinet
 SyslogIdentifier=lokinet-router
 WorkingDirectory=/var/lib/lokinet/router
-AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/lokinet /var/lib/lokinet/router/lokinet.ini
 Environment=LOKINET_NETID=lokinet
 Restart=always

debian/lokinet-router.lokinet-testnet-router.service

@@ -1,13 +1,15 @@
 [Unit]
 Description=LokiNET: Anonymous Network layer thingydoo, router (testnet)
+AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed
 Wants=network-online.target
 After=network-online.target
-AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed
 
 [Service]
 User=_lokinet
 SyslogIdentifier=lokinet-router
 WorkingDirectory=/var/lib/lokinet/testnet-router
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/lokinet /var/lib/lokinet/testnet-router/lokinet.ini
 Environment=LOKINET_NETID=gamma
 Restart=always

debian/lokinet.lokinet-testnet.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=LokiNET: Anonymous Network layer thingydoo, client
+AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed
 Wants=network-online.target
 After=network-online.target
 
@@ -7,7 +8,8 @@ After=network-online.target
 User=_lokinet
 SyslogIdentifier=lokinet
 WorkingDirectory=/var/lib/lokinet
-AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/lokinet /var/lib/lokinet/lokinet.ini
 ExecStartPost=+/usr/sbin/lokinet-resolvconf add /var/lib/lokinet/lokinet.ini
 ExecStopPost=+/usr/sbin/lokinet-resolvconf remove /var/lib/lokinet/lokinet.ini

debian/lokinet.lokinet.service

@@ -1,13 +1,15 @@
 [Unit]
 Description=LokiNET: Anonymous Network layer thingydoo, client
+AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed
 Wants=network-online.target
 After=network-online.target
-AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed
 
 [Service]
 User=_lokinet
 SyslogIdentifier=lokinet
 WorkingDirectory=/var/lib/lokinet
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/lokinet /var/lib/lokinet/lokinet.ini
 ExecStartPost=+/usr/sbin/lokinet-resolvconf add /var/lib/lokinet/lokinet.ini
 ExecStopPost=+/usr/sbin/lokinet-resolvconf remove /var/lib/lokinet/lokinet.ini