Linux capabilities rewrite
This branch simplifies knot's implementation of Linux capabilities. See the discussion in #546 (closed) for details. Basically, this allows knotd to be started as a non-root user with elevated capabilities, e.g.:
[Service] User=knot Group=knot CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP …
This causes knotd to be started as a non-root user/group (knot:knot). After knotd binds to privileged ports (using
CAP_NET_BIND_SERVICE), it gives up all its capabilities (using
CAP_SETPCAP), resulting in a completely unprivileged process.