diff options
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b22a4c651..0a32393a2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -99,6 +99,9 @@ static void set_caps(void) { | |||
| 99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
| 100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
| 101 | caps_default_filter(); | 101 | caps_default_filter(); |
| 102 | |||
| 103 | // drop discretionary access control capabilities by default | ||
| 104 | caps_drop_dac_override(); | ||
| 102 | } | 105 | } |
| 103 | 106 | ||
| 104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
| @@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
| 896 | // set security filters | 899 | // set security filters |
| 897 | //**************************** | 900 | //**************************** |
| 898 | // set capabilities | 901 | // set capabilities |
| 899 | // if (!arg_noroot) | 902 | set_caps(); |
| 900 | set_caps(); | ||
| 901 | 903 | ||
| 902 | // set rlimits | 904 | // set rlimits |
| 903 | set_rlimits(); | 905 | set_rlimits(); |