OK, I've figured out that capabilities only work with jails, so my init script now looks like this.
procd_set_param command /usr/bin/fdfd
procd_set_param file /etc/fdf-config.json
if [ -x /sbin/ujail -a -e /etc/capabilities/fdfd.json ]; then
procd_add_jail fdfd log requirejail
procd_set_param user nobody
procd_set_param capabilities /etc/capabilities/fdfd.json
procd_set_param no_new_privs 1
I've installed procd-ujail, and now my service just hangs when I try to start it. Nothing is logged and netstat shows that none of its listening sockets are open. Furthermore, it doesn't respond to SIGTERM, only SIGKILL.
Running ujail from the command line has similar results, i.e.:
Another data point. I noticed that sysntpd runs in a jail when ujail is installed, so I restarted the service (stop, wait, start), and I'm seeing the exact same behavior — nothing in the log and it doesn't respond to SIGTERM.
Mar 30 10:09:30 OpenWrt procd: Instance sysntpd::instance1 pid 5304 not stopped on SIGTERM, sending SIGKILL instead
Looks like this may be a general issue with ujail.
Looking at those patches, it doesn't look likely that either of them is related to what I'm seeing. Specifically, if you look at the strace output, you won't see fork() or clone() called anywhere. For some reason, the actual service isn't even being run.
You can sysupgrade to a pre-release 22.03-SNAPSHOT build for that device or even just replace procd (which you would have to build using the 21.02.2 SDK). In case something goes wrong you can use failsafe mode to recover.
The first of those two patches fixes the issue that prevents jailed services from being stopped.
The second commit fixes a memory corruption on the stack which can very well explain the behavior you are seeing.
Just wanted to circle back on this. I didn't have time to test the pre-release, but I did uninstall procd-ujail and then reinstall it later for some testing. To my surprise, it's working now, so it looks like the latest package (2021-03-08-2cfc26f8-1) has whatever fixes are required to make it work.