Problem Description:
Casper services allow limiting operations that a process can
perform. Each service maintains a specific list of permitted
operations. Certain operations can be further restricted, such as
specifying which domain names can be resolved. During the verification
of limits, the service must ensure that the new set of constraints
is a subset of the previous one. In the case of the cap_net service,
the currently limited set of domain names was fetched incorrectly.
Impact:
In certain scenarios, if only a list of resolvable domain names
was specified without setting any other limitations, the application
could submit a new list of domains including include entries not
previously in the list.