drop capabilities

src/vpn.c

@@ -1,5 +1,6 @@
 #define _GNU_SOURCE
 
+#include <sys/prctl.h>
 #include <fcntl.h>
 #include <pwd.h>
 #include <sched.h>
@@ -8,12 +9,6 @@
 #include <unistd.h>
 
 int main() {
-    char shell[128] = {0};
-
-    struct passwd *pw = getpwent();
-    strlcpy(shell, pw->pw_shell, sizeof(shell));
-    printf("%s\n", shell);
-    endpwent();
 
     int fd = open("/run/vpn/net", 0);
 
@@ -30,6 +25,19 @@ int main() {
         perror("open /run/vpn/net");
         return 1;
     }
+
+    if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) == -1) {
+        perror("prctl");
+        return 1;
+    }
+    
+    char shell[128] = {0};
+
+    struct passwd *pw = getpwent();
+    strlcpy(shell, pw->pw_shell, sizeof(shell));
+    printf("%s\n", shell);
+    endpwent();
+    
     execl(shell, shell, NULL);
     perror(NULL);
     return 0;