Does subprocess inherit python's linux capabilities?

Question

I'm using a program to issue a tc command via the subprocess module, but tc is outputting RTNETLINK answers: Operation not permitted

To solve this, I have given python the CAP_NET_ADMIN capability with the epi flags, but I still am not able to issue the tc command.

$ getcap /usr/bin/python3.5
$ /usr/bin/python3.5 test-capabilities.py 
CompletedProcess(args=['tc', 'qdisc', 'add', 'dev', 'eth0', 'root', 'pfifo'], returncode=2, stdout=b'', stderr=b'RTNETLINK answers: Operation not permitted\n')
$ sudo setcap cap_net_admin+eip /usr/bin/python3.5 
$ /usr/bin/python3.5 test-capabilities.py 
CompletedProcess(args=['tc', 'qdisc', 'add', 'dev', 'eth0', 'root', 'pfifo'], returncode=2, stdout=b'', stderr=b'RTNETLINK answers: Operation not permitted\n')
$ sudo /usr/bin/python3.5 test-capabilities.py 
CompletedProcess(args=['tc', 'qdisc', 'add', 'dev', 'eth0', 'root', 'pfifo'], returncode=2, stdout=b'', stderr=b'RTNETLINK answers: File exists\n')

if CAP_NET_ADMIN allows a process to modify network interfaces, and the +i flag given in setcap indicates that subprocesses should inherit the capabilties given to the executable, why am I still getting the operation not permitted error. I'd expect to get the File exists error, like I do above when running python via sudo.

Based on [this article](https://lwn.net/Articles/632520/), at least as recently as 2015 capabilities weren't inherited through an `execve()` call. — larsks, Mar 27 '19 at 02:32

Does subprocess inherit python's linux capabilities?

0 Answers0