diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b22a4c651..0a32393a2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -99,6 +99,9 @@ static void set_caps(void) { | |||
99 | caps_keep_list(arg_caps_list); | 99 | caps_keep_list(arg_caps_list); |
100 | else if (arg_caps_default_filter) | 100 | else if (arg_caps_default_filter) |
101 | caps_default_filter(); | 101 | caps_default_filter(); |
102 | |||
103 | // drop discretionary access control capabilities by default | ||
104 | caps_drop_dac_override(); | ||
102 | } | 105 | } |
103 | 106 | ||
104 | void save_nogroups(void) { | 107 | void save_nogroups(void) { |
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) { | |||
896 | // set security filters | 899 | // set security filters |
897 | //**************************** | 900 | //**************************** |
898 | // set capabilities | 901 | // set capabilities |
899 | // if (!arg_noroot) | 902 | set_caps(); |
900 | set_caps(); | ||
901 | 903 | ||
902 | // set rlimits | 904 | // set rlimits |
903 | set_rlimits(); | 905 | set_rlimits(); |