bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard
verified publisher icon containers

Default behaviour of `--cap-drop`

Open cgzones opened this issue 3 years ago • 2 comments

The documentation of --cap-drop states:

By default no caps are left in the sandboxed process.

That seems not to be true:

id
uid=0(root) gid=0(root) groups=0(root)

getpcaps $$
14257: =ep

bwrap --bind / / sh -c 'getpcaps $$'
15598: =ep

bwrap --bind / / --cap-drop ALL sh -c 'getpcaps $$'
15577: =

cgzones avatar Mar 02 '23 15:03 cgzones

This might be related to #122 and #123.

smcv avatar Mar 02 '23 16:03 smcv

Similiar: #287

rusty-snake avatar Mar 02 '23 19:03 rusty-snake