6 files changed, 19 insertions, 4 deletions

diff --git a/RELNOTES b/RELNOTES
index 0c59364c5..5add1b48e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.47) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
+  * feature: drop discretionary access control capabilities by default 
   * feature: added /etc/firejail/globals.local for global customizations
   * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish
diff --git a/etc/server.profile b/etc/server.profile
index 31a81b88f..2d79fa1c8 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -18,6 +18,7 @@ blacklist /tmp/.X11-unix
 no3d
 nosound
 seccomp
+caps
 
 private
 private-dev
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..883e8015e 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,17 @@ void caps_print(void) {
         }
 }
 
+// drop discretionary access control capabilities by default in all sandboxes
+void caps_drop_dac_override(void) {
+        if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+        else if (arg_debug)
+                printf("Drop CAP_DAC_OVERRIDE\n");
 
+        if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+        else if (arg_debug)
+                printf("Drop CAP_DAC_READ_SEARCH\n");
+}
 
-
-// enabled by default
 int caps_default_filter(void) {
         // drop capabilities
         if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6f0a5aa7b..8224b5012 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -533,6 +533,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
+void caps_drop_dac_override(void);
 
 // syscall.c
 const char *syscall_find_nr(int nr);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..d7328a91b 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
+                // drop discretionary access control capabilities by default
+                caps_drop_dac_override();
+                
                 // chroot into /proc/PID/root directory
                 char *rootdir;
                 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b22a4c651..0a32393a2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
                 caps_keep_list(arg_caps_list);
         else if (arg_caps_default_filter)
                 caps_default_filter();
+        
+        // drop discretionary access control capabilities by default
+        caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
         // set security filters
         //****************************
         // set capabilities
-//      if (!arg_noroot)
-                set_caps();
+        set_caps();
 
         // set rlimits
         set_rlimits();