We never need any ambient capabilities in the broker process, since we
never spawn further processes. However, as we are forked off from a
non-privileged launcher, we will have a non-empty ambient set. Make sure
to clear it, to avoid leaking those capabilities into sub-processes of
a possible attacker.
Note that we only ever need CAP_AUDIT_WRITE, and we should never see any
other capability. So this is only about dropping CAP_AUDIT_WRITE from a
spawned sub-processes during a possible attack.
We never need any ambient capabilities in the broker process, since we never spawn further processes. However, as we are forked off from a non-privileged launcher, we will have a non-empty ambient set. Make sure to clear it, to avoid leaking those capabilities into sub-processes of a possible attacker.
Note that we only ever need CAP_AUDIT_WRITE, and we should never see any other capability. So this is only about dropping CAP_AUDIT_WRITE from a spawned sub-processes during a possible attack.