Add capability filter for network services, additive filter

The new capability filter SBOX_CAPS_NET_SERVICE allows forked processes
to bind to low ports (privileged network services).

Because dhcp clients require both low ports and network administration
privileges, this patch also allows (bitwise) combination of capability filters
(except SBOX_CAPS_NONE, which completely drops any capabilities)
to grant both SBOX_CAPS_NETWORK and SBOX_CAPS_NET_SERVICE to a dhcp client.
This way, fnet and fnetfilter calls still do not get CAP_NET_BIND_SERVICE.

0 files changed, 0 insertions, 0 deletions