deny capability chown -> capability chown
(can we limit that to a certain scope)"
Unfortunately, no, not unless we get help from unbound to change_profile/change_onexec after a fork/exec or it is happening in a helper binary that we could separately profile.
"Ok so overall:
deny capability chown -> capability chown
(can we limit that to a certain scope)"
Unfortunately, no, not unless we get help from unbound to change_ profile/ change_ onexec after a fork/exec or it is happening in a helper binary that we could separately profile.