units: allow systemd-userdbd to change process name

rename_process() requires CAP_SYS_RESOURCE so let's make sure it is in
our permitted set after execve() by adding in to the bounding set.

Previously,
systemd-userdbd.service - User Database Manager
     Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled)
     Active: active (running) since Mon 2022-12-19 17:07:21 CET; 17min ago
TriggeredBy: ● systemd-userdbd.socket
       Docs: man:systemd-userdbd.service(8)
   Main PID: 1880 (systemd-userdbd)
     Status: "Processing requests..."
      Tasks: 4 (limit: 2272)
     Memory: 5.2M
        CPU: 244ms
     CGroup: /system.slice/systemd-userdbd.service
             ├─1880 /usr/lib/systemd/systemd-userdbd
             ├─2270 systemd-userwork
             ├─2271 systemd-userwork
             └─2272 systemd-userwork

Now,
    Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; indirect; preset: disabled)
     Active: active (running) since Mon 2022-12-19 17:27:02 CET; 15s ago
TriggeredBy: ● systemd-userdbd.socket
       Docs: man:systemd-userdbd.service(8)
   Main PID: 2404 (systemd-userdbd)
     Status: "Processing requests..."
      Tasks: 4 (limit: 2272)
     Memory: 5.5M
        CPU: 89ms
     CGroup: /system.slice/systemd-userdbd.service
             ├─2404 /usr/lib/systemd/systemd-userdbd
             ├─2407 "systemd-userwork: waiting..."
             ├─2408 "systemd-userwork: waiting..."
             └─2409 "systemd-userwork: waiting..."

1 files changed, 1 insertions, 1 deletions

diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in
index 84dea04f55..b57661100c 100644
--- a/units/systemd-userdbd.service.in
+++ b/units/systemd-userdbd.service.in
@@ -16,7 +16,7 @@ Before=sysinit.target
 DefaultDependencies=no
 
 [Service]
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE
 ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}