diff options
author | netblue30 <netblue30@yahoo.com> | 2017-06-04 11:48:27 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-06-04 11:48:27 -0400 |
commit | 881520edff69292ddbe05efada584f515ccadac4 (patch) | |
tree | a9e056d90d80464017f295b3fcd4ba6a69348a23 /src/firejail/caps.c | |
parent | profile support in overlayfs mode (diff) | |
download | firejail-881520edff69292ddbe05efada584f515ccadac4.tar.gz firejail-881520edff69292ddbe05efada584f515ccadac4.tar.zst firejail-881520edff69292ddbe05efada584f515ccadac4.zip |
drop discretionary access control capabilities by default
Diffstat (limited to 'src/firejail/caps.c')
-rw-r--r-- | src/firejail/caps.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index d45ba20ce..883e8015e 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -248,10 +248,17 @@ void caps_print(void) { | |||
248 | } | 248 | } |
249 | } | 249 | } |
250 | 250 | ||
251 | // drop discretionary access control capabilities by default in all sandboxes | ||
252 | void caps_drop_dac_override(void) { | ||
253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | ||
254 | else if (arg_debug) | ||
255 | printf("Drop CAP_DAC_OVERRIDE\n"); | ||
251 | 256 | ||
257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | ||
258 | else if (arg_debug) | ||
259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
260 | } | ||
252 | 261 | ||
253 | |||
254 | // enabled by default | ||
255 | int caps_default_filter(void) { | 262 | int caps_default_filter(void) { |
256 | // drop capabilities | 263 | // drop capabilities |
257 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) | 264 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) |