From b3f3992bcc3c9e4d7bc876ec2460cdf1926263b6 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Tue, 5 Sep 2017 08:35:21 -0400
Subject: fix caps.keep/dac-overwrite

---
 README                 | 2 ++
 src/firejail/sandbox.c | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README b/README
index beb5e61d9..41db7fc8e 100644
--- a/README
+++ b/README
@@ -411,6 +411,8 @@ smithsohu (https://github.com/smitsohu)
 	- fixed device discovery for simple-scan
 	- add novideo support in many profiles
 	- improve server profiles, harden musescore
+	- snap profile cleanup
+	- tighten some capability sets further
 soredake (https://github.com/soredake)
 	- fix steam startup with >=llvm-4
 SpotComms (https://github.com/SpotComms)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8074fcd74..656942440 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -107,7 +107,9 @@ static void set_caps(void) {
 		caps_default_filter();
 	
 	// drop discretionary access control capabilities for root sandboxes
-	caps_drop_dac_override();
+	// if caps.keep, the user has to set it manually in the list
+	if (!arg_caps_keep)
+		caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
-- 
cgit v1.2.3-70-g09d2