File:Firejail caps example.png

Summary
Screenshot of two xterms running in xephyr windows (started using firejail from the command line in parent desktop), in which running a cap_chown=eip program (rootchown) as a regular user is attempted, to illustrate firejail's ability to prevent privilege escalation. In the first xterm, the program is allowed to run, but in the second xterm (started with the --caps.drop=all firejail option) the program is aborted, with "Operation not permitted" error message. The program rootchown itself is trivial, and the source, compilation (as root) and necessary setcap command are shown in the screenshot also. Uploaded for use in a forthcoming mini-guide on X11 sandboxing (an addendum to Sakaki's EFI Install Guide).