diff options
Diffstat (limited to 'src/firejail/caps.c')
| -rw-r--r-- | src/firejail/caps.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index d45ba20ce..883e8015e 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
| @@ -248,10 +248,17 @@ void caps_print(void) { | |||
| 248 | } | 248 | } |
| 249 | } | 249 | } |
| 250 | 250 | ||
| 251 | // drop discretionary access control capabilities by default in all sandboxes | ||
| 252 | void caps_drop_dac_override(void) { | ||
| 253 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0)); | ||
| 254 | else if (arg_debug) | ||
| 255 | printf("Drop CAP_DAC_OVERRIDE\n"); | ||
| 251 | 256 | ||
| 257 | if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0)); | ||
| 258 | else if (arg_debug) | ||
| 259 | printf("Drop CAP_DAC_READ_SEARCH\n"); | ||
| 260 | } | ||
| 252 | 261 | ||
| 253 | |||
| 254 | // enabled by default | ||
| 255 | int caps_default_filter(void) { | 262 | int caps_default_filter(void) { |
| 256 | // drop capabilities | 263 | // drop capabilities |
| 257 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) | 264 | if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) |