What capabilities does systemd daemon require to create cgroups?

In my project I need sometimes to be able to create new control groups as an unprivileged user. I decided to write a systemd daemon for this.

I use libcgroup in the daemon code for cgroup manipulation.

When I try to create a cgroup (cgroup_create_cgroup), I receive a libcgroup error ECGROUPNOTALLOWED (Cgroup, operation not allowed). How to allow my daemon to create new cgroups?

systemd .service file:

[Service]
...
CapabilityBoundingSet=CAP_SYS_ADMIN
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes
ProtectHome=yes
ProtectControlGroups=no
ProtectKernelTunables=no
RestrictRealtime=no
User=root
Group=root

Solution

Well, I don't really know which of those protections was odd but just removing them all did the trick.

ExecStart in systemd service does not support file names containing *
PostgreSQL 11 Shared Memory Error: could not open shared memory segment "/PostgreSQL.XXXXXXXX": No such file or directory
systemd/udev dependency failure when auto mounting separate partition during startup
Log Python Systemd output to log file
How to manage a group of resque workers using systemd?
Incompatible flags (0x1c) error with systemd 237 journal files on systemd 244 & 245
Running podman start through systemd service gives error 125 while manually doing it works fine
Varnish Cache 7.5 - Cannot enable inline C? All methods fail
GNU/Linux systemd/sd-device problems creating and filtering an sd_device_enumerator
command `sudo systemctl start mybig_app` holds on and service stands in status loaded(activating) never turning to active
Passing a JSON file as environment variable in Docker
Self Hosted Agent service startup getting failed on VM restart
Ansible handlers - exclusive restart or reload
Systemctl - Failed at step Group spawning
systemd apparently not finding .service file
set umask for Tomcat via tomcat.service in SystemD
Silent systemd ExecStartPre script exit code
Systemd services dependency
Deno as Linux systemd service. How?
Slurmctld: error: mysql_real_connect failed: 1045 Access denied for user 'root'@'localhost' (using password: NO)
Program launches fine when exec'd manually but silently fails via systemd service
wait with systemd until a service socket becomes available and then start a depended service
systemd - can out redirect logs to a file and journald
Why is STDIN open by default for programs running in SystemD?
bitbucket pipeline : systemctl (systemd)
What is a drop-in file? What is a drop-in directory? How to edit systemd service
quadlet podman container with macvlan, how to configure mac address?
Raspberry Pi: Keyboard input for bash script without connected HDMI display
Ansible - cant start or stop service with right permission
Require and start podman network interface using systemd