diff options
author | Kristóf Marussy <kris7topher@gmail.com> | 2019-12-29 23:19:15 +0100 |
---|---|---|
committer | Kristóf Marussy <kris7topher@gmail.com> | 2019-12-30 16:49:51 +0100 |
commit | 02d09e86293be87768e6f93560e012e4a02e8666 (patch) | |
tree | 4161dd6af9ba076f846b5586d384614179904e2d /etc/ssh-agent.profile | |
parent | Add sbox_run_v to run programs with explicit argument lists (diff) | |
download | firejail-02d09e86293be87768e6f93560e012e4a02e8666.tar.gz firejail-02d09e86293be87768e6f93560e012e4a02e8666.tar.zst firejail-02d09e86293be87768e6f93560e012e4a02e8666.zip |
Add capability filter for network services, additive filter
The new capability filter SBOX_CAPS_NET_SERVICE allows forked processes
to bind to low ports (privileged network services).
Because dhcp clients require both low ports and network administration
privileges, this patch also allows (bitwise) combination of capability filters
(except SBOX_CAPS_NONE, which completely drops any capabilities)
to grant both SBOX_CAPS_NETWORK and SBOX_CAPS_NET_SERVICE to a dhcp client.
This way, fnet and fnetfilter calls still do not get CAP_NET_BIND_SERVICE.
Diffstat (limited to 'etc/ssh-agent.profile')
0 files changed, 0 insertions, 0 deletions