The securebit keep-caps retains the capabilities in the permitted set
over an UID change (ambient capabilities are cleared though).
Setting the keep-caps securebit after the uid change and before execve
doesn't make sense as it is cleared during execve and there is no
additional user ID change after this point.
Altough the documentation (man 7 capabilities) is ambigious, keep-caps
is reset during execve although keep-caps-locked is set. After execve
only keep-caps-locked is set and keep-caps is cleared.
*exit_status = EXIT_CAPABILITIES;
return log_unit_error_errno(unit, r, "Failed to apply ambient capabilities (after UID change): %m");
}
-
- /* If we were asked to change user and ambient capabilities
- * were requested, we had to add keep-caps to the securebits
- * so that we would maintain the inherited capability set
- * through the setresuid(). Make sure that the bit is added
- * also to the context secure_bits so that we don't try to
- * drop the bit away next. */
-
- secure_bits |= 1<<SECURE_KEEP_CAPS;
}
}
}