Description

The first example drops caps except setuid/gid, then change to a user, then regain a specific capability.

The second example sets the inheritable caps and drops all caps except setuid/gid, then change to a user, then execve a program which is assumed to have same set of inheritable caps sets in its xattrs + effective flag. Thus the result is the launched program has only a specific capability and nobody can automatically gain (as opposed to effective + permited file caps) the allowed capability. Only the runner can do it.

License

Unless specified otherwise, this project is licensed under the terms of the MIT license. You should have received a copy of the MIT License along with this program. If not, see <https://opensource.org/licenses/MIT>.

SPDX-License-Identifier: MIT

Contact

developer: vg
mail: vg@devys.org