fix caps.keep/dac-overwrite

2 files changed, 5 insertions, 1 deletions

diff --git a/README b/README
index beb5e61d9..41db7fc8e 100644
--- a/README
+++ b/README
@@ -411,6 +411,8 @@ smithsohu (https://github.com/smitsohu)
         - fixed device discovery for simple-scan
         - add novideo support in many profiles
         - improve server profiles, harden musescore
+        - snap profile cleanup
+        - tighten some capability sets further
 soredake (https://github.com/soredake)
         - fix steam startup with >=llvm-4
 SpotComms (https://github.com/SpotComms)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8074fcd74..656942440 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -107,7 +107,9 @@ static void set_caps(void) {
                 caps_default_filter();
         
         // drop discretionary access control capabilities for root sandboxes
-        caps_drop_dac_override();
+        // if caps.keep, the user has to set it manually in the list
+        if (!arg_caps_keep)
+                caps_drop_dac_override();
 }
 
 void save_nogroups(void) {