diff options
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 4 |
2 files changed, 5 insertions, 1 deletions
| @@ -411,6 +411,8 @@ smithsohu (https://github.com/smitsohu) | |||
| 411 | - fixed device discovery for simple-scan | 411 | - fixed device discovery for simple-scan |
| 412 | - add novideo support in many profiles | 412 | - add novideo support in many profiles |
| 413 | - improve server profiles, harden musescore | 413 | - improve server profiles, harden musescore |
| 414 | - snap profile cleanup | ||
| 415 | - tighten some capability sets further | ||
| 414 | soredake (https://github.com/soredake) | 416 | soredake (https://github.com/soredake) |
| 415 | - fix steam startup with >=llvm-4 | 417 | - fix steam startup with >=llvm-4 |
| 416 | SpotComms (https://github.com/SpotComms) | 418 | SpotComms (https://github.com/SpotComms) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8074fcd74..656942440 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -107,7 +107,9 @@ static void set_caps(void) { | |||
| 107 | caps_default_filter(); | 107 | caps_default_filter(); |
| 108 | 108 | ||
| 109 | // drop discretionary access control capabilities for root sandboxes | 109 | // drop discretionary access control capabilities for root sandboxes |
| 110 | caps_drop_dac_override(); | 110 | // if caps.keep, the user has to set it manually in the list |
| 111 | if (!arg_caps_keep) | ||
| 112 | caps_drop_dac_override(); | ||
| 111 | } | 113 | } |
| 112 | 114 | ||
| 113 | void save_nogroups(void) { | 115 | void save_nogroups(void) { |