From 8a0725cd013564500af985c728c1589ae9eb47f7 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 3 Sep 2017 21:34:07 +0200
Subject: tighten capability sets

---
 etc/dnscrypt-proxy.profile | 2 +-
 etc/unbound.profile        | 2 +-
 etc/wireshark.profile      | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index a1ccfbe22..86af9c7b3 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 no3d
 nodvd
 nonewprivs
diff --git a/etc/unbound.profile b/etc/unbound.profile
index afc903e88..2a38aa7c6 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps
-# caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot,sys_resource
+# caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource
 no3d
 nodvd
 nonewprivs
diff --git a/etc/wireshark.profile b/etc/wireshark.profile
index 57f4f2f5b..7504d0b9c 100644
--- a/etc/wireshark.profile
+++ b/etc/wireshark.profile
@@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
-# caps.drop all
+caps.keep net_admin,net_raw
 netfilter
 no3d
 # nogroups - breaks unprivileged wireshark usage
@@ -21,6 +21,7 @@ no3d
 nodvd
 nosound
 notv
+novideo
 # protocol unix,inet,inet6,netlink
 # seccomp - breaks unprivileged wireshark usage
 shell none
-- 
cgit v1.2.3-54-g00ecf