Our AppArmor profile for dhclient is a lot better than doing this: + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_DAC_OVERRIDE); // Drop this someday + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_NET_ADMIN, CAP_NET_RAW, + CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1);
That's not dropping much, IMHO... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/810946 Title: dhclient should drop capabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/810946/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
