1 files changed, 28 insertions, 3 deletions

diff --git a/src/capabilities.c b/src/capabilities.c
index a393efc..57658cc 100644
--- a/src/capabilities.c
+++ b/src/capabilities.c
@@ -238,13 +238,38 @@ int caps_default_filter(void)
     const char *const capstrs[] = {
         "sys_module", "sys_rawio", "sys_boot",
         "sys_nice", "sys_tty_config",
+        "mknod", "sys_admin", "sys_resource",
+        "sys_time"
+    };
+
+    for (i = 0; i < SIZEOF(capstrs); ++i ) {
+        code = caps_find_name(capstrs[i]);
+        if (code < 0)
+            goto errexit;
+        if (prctl(PR_CAPBSET_DROP, code, 0, 0, 0) < 0)
+            goto errexit;
+    }
+
+    return 0;
+errexit:
+    E("%s", "Can not drop capabilities");
+    exit(EXIT_FAILURE);
+}
+
+int caps_jail_filter(void)
+{
+    size_t i;
+    int code;
+    const char *const capstrs[] = {
 #ifdef CAP_SYSLOG
         "syslog",
 #endif
-        "mknod", "sys_admin"
+        "audit_control", "audit_read", "audit_write",
+        "sys_ptrace", "sys_pacct", "sys_chroot", "sys_nice",
+        "sys_tty_config"
     };
 
-    for (i = 0; i < SIZEOF(capstrs); ++i ) {
+    for (i = 0; i < SIZEOF(capstrs); ++i) {
         code = caps_find_name(capstrs[i]);
         if (code < 0)
             goto errexit;
@@ -255,7 +280,7 @@ int caps_default_filter(void)
     return 0;
 errexit:
     E("%s", "Can not drop capabilities");
-    exit(1);
+    exit(EXIT_FAILURE);
 }
 
 void caps_drop_all(void)