These two permission is absolutely required:
- CAP_NET_ADMIN is needed for modifying routes.
- CAP_NET_RAW is for modifying iptables.
When the app starts to set up a tunnel, it seems to execute "cat
/sys/module/wireguard/version" to check if wireguard kernel module is
loaded or not. Despite the permission seems okay, without
CAP_DAC_READ_SEARCH it could not read the version number and threw an
error in the application log.
CAP_DAC_OVERRIDE is needed optionally for installing Wireguard command
line tools. It could be turned back off once the binaries have been
copied.
