From 881520edff69292ddbe05efada584f515ccadac4 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 4 Jun 2017 11:48:27 -0400
Subject: drop discretionary access control capabilities by default

---
 src/firejail/caps.c     | 11 +++++++++--
 src/firejail/firejail.h |  1 +
 src/firejail/join.c     |  3 +++
 src/firejail/sandbox.c  |  6 ++++--
 4 files changed, 17 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..883e8015e 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,17 @@ void caps_print(void) {
 	}
 }
 
+// drop discretionary access control capabilities by default in all sandboxes
+void caps_drop_dac_override(void) {
+	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+	else if (arg_debug)
+		printf("Drop CAP_DAC_OVERRIDE\n");
 
+	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+	else if (arg_debug)
+		printf("Drop CAP_DAC_READ_SEARCH\n");
+}
 
-
-// enabled by default
 int caps_default_filter(void) {
 	// drop capabilities
 	if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6f0a5aa7b..8224b5012 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -533,6 +533,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
+void caps_drop_dac_override(void);
 
 // syscall.c
 const char *syscall_find_nr(int nr);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..d7328a91b 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (child < 0)
 		errExit("fork");
 	if (child == 0) {
+		// drop discretionary access control capabilities by default
+		caps_drop_dac_override();
+		
 		// chroot into /proc/PID/root directory
 		char *rootdir;
 		if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b22a4c651..0a32393a2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
 		caps_keep_list(arg_caps_list);
 	else if (arg_caps_default_filter)
 		caps_default_filter();
+	
+	// drop discretionary access control capabilities by default
+	caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
 	// set security filters
 	//****************************
 	// set capabilities
-//	if (!arg_noroot)
-		set_caps();
+	set_caps();
 
 	// set rlimits
 	set_rlimits();
-- 
cgit v1.2.3-54-g00ecf