Changing capabilities of the process

Question

Are there any way that I could run application with a special capabilities? I'm trying to set capabilities with function "cap_set_flag()", by setting flag "SET_CLEAR", to all "CAP_INHERITABLE" capabilities but it doesn't work. Child application still has all capabilities, but i expect it will have only "cap_dac_override". I also my app with sudo to change capabilities.

My app:

#include <sys/capability.h>
#include <stdio.h>
#include <unistd.h>

   cap_value_t newcaps[1] = { CAP_DAC_OVERRIDE, };

cap_value_t cap_list_[33] = {
        CAP_CHOWN,
        CAP_DAC_READ_SEARCH,
        CAP_FOWNER,
        CAP_FSETID,
        CAP_KILL,
        CAP_SETGID,
        CAP_SETUID,
        CAP_SETPCAP,
        CAP_LINUX_IMMUTABLE,
        CAP_NET_BIND_SERVICE,
        CAP_NET_BROADCAST,
        CAP_NET_ADMIN,
        CAP_NET_RAW,
        CAP_IPC_LOCK,
        CAP_IPC_OWNER,
        CAP_SYS_MODULE,
        CAP_SYS_RAWIO,
        CAP_SYS_CHROOT,
        CAP_SYS_PTRACE,
        CAP_SYS_PACCT,
        CAP_SYS_ADMIN,
        CAP_SYS_BOOT,
        CAP_SYS_NICE,
        CAP_SYS_RESOURCE,
        CAP_SYS_TIME,
        CAP_SYS_TTY_CONFIG,
        CAP_MKNOD,
        CAP_LEASE,
        CAP_AUDIT_WRITE,
        CAP_AUDIT_CONTROL,
        CAP_SETFCAP,
        CAP_MAC_OVERRIDE,
        CAP_MAC_ADMIN
    };

void test() {
cap_value_t cap_list[35];
const char *cap_name[35] = {
        "cap_chown",
        "cap_dac_override",
        "cap_dac_read_search",
        "cap_fowner",
        "cap_fsetid",
        "cap_kill",
        "cap_setgid",
        "cap_setuid",
        "cap_setpcap",
        "cap_linux_immutable",
        "cap_net_bind_service",
        "cap_net_broadcast",
        "cap_net_admin",
        "cap_net_raw",
        "cap_ipc_lock",
        "cap_ipc_owner",
        "cap_sys_module",
        "cap_sys_rawio",
        "cap_sys_chroot",
        "cap_sys_ptrace",
        "cap_sys_pacct",
        "cap_sys_admin",
        "cap_sys_boot",
        "cap_sys_nice",
        "cap_sys_resource",
        "cap_sys_time",
        "cap_sys_tty_config",
        "cap_mknod",
        "cap_lease",
        "cap_audit_write",
        "cap_audit_control",
        "cap_setfcap",
        "cap_mac_override",
        "cap_mac_admin",
        "cap_syslog"
    };
    int i;
    pid_t pid = getpid();
    cap_t cap = cap_get_pid(pid);
    cap_flag_value_t cap_flags_value;
    for (i=0; i < 34; i++) {
        cap_from_name(cap_name[i], &cap_list[i]);
        printf("%-20s %d\t\t", cap_name[i], cap_list[i]);
        printf("flags: \t\t");
        cap_get_flag(cap, cap_list[i], CAP_EFFECTIVE, &cap_flags_value);
        printf(" EFFECTIVE %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        cap_get_flag(cap, cap_list[i], CAP_PERMITTED, &cap_flags_value);
        printf(" PERMITTED %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        cap_get_flag(cap, cap_list[i], CAP_INHERITABLE, &cap_flags_value);
        printf(" INHERITABLE %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        printf("\n");
    }
}


int main(int argc, char **argv[]) {
    cap_t caps = cap_get_proc();
    printf("Capabilities: %s\n", cap_to_text(caps, NULL));
    if (cap_set_flag(caps, CAP_INHERITABLE, 33, cap_list_, CAP_CLEAR)){
    printf("ERROR");
    return 0;}
        if (cap_set_flag(caps, CAP_EFFECTIVE, 33, cap_list_, CAP_CLEAR)){
    printf("ERROR");
    return 0;}
            if (cap_set_flag(caps, CAP_PERMITTED, 33, cap_list_, CAP_CLEAR)){
    printf("ERROR");
    return 0;}
    cap_set_proc(caps);
    if(cap_set_flag(caps, CAP_INHERITABLE, 1, newcaps, CAP_SET)){
    printf("ERROR2");
    return 0;
    }
        if(cap_set_flag(caps, CAP_INHERITABLE, 1, newcaps, CAP_SET)){
    printf("ERROR2");
    return 0;
    }
        if(cap_set_flag(caps, CAP_PERMITTED, 1, newcaps, CAP_SET)){
    printf("ERROR2");
    return 0;
    }
    
    cap_set_proc(caps);
    printf("Capabilities: %s\n", cap_to_text(caps, NULL));
    cap_free(caps);
    printf("====================Cap====================\n");
    test();
    printf("====================Test====================\n");
    return execl("/home/ilya/testSEM/test.o", NULL);
}

My test app:

#include <stdio.h>
#include <sys/capability.h>

int main(int argc, char **argv) {
cap_value_t cap_list[35];
const char *cap_name[35] = {
        "cap_chown",
        "cap_dac_override",
        "cap_dac_read_search",
        "cap_fowner",
        "cap_fsetid",
        "cap_kill",
        "cap_setgid",
        "cap_setuid",
        "cap_setpcap",
        "cap_linux_immutable",
        "cap_net_bind_service",
        "cap_net_broadcast",
        "cap_net_admin",
        "cap_net_raw",
        "cap_ipc_lock",
        "cap_ipc_owner",
        "cap_sys_module",
        "cap_sys_rawio",
        "cap_sys_chroot",
        "cap_sys_ptrace",
        "cap_sys_pacct",
        "cap_sys_admin",
        "cap_sys_boot",
        "cap_sys_nice",
        "cap_sys_resource",
        "cap_sys_time",
        "cap_sys_tty_config",
        "cap_mknod",
        "cap_lease",
        "cap_audit_write",
        "cap_audit_control",
        "cap_setfcap",
        "cap_mac_override",
        "cap_mac_admin",
        "cap_syslog"
    };
    int i;
    pid_t pid = getpid();
    cap_t cap = cap_get_pid(pid);
    cap_flag_value_t cap_flags_value;
    for (i=0; i < 34 + 1; i++) {
        cap_from_name(cap_name[i], &cap_list[i]);
        printf("%-20s %d\t\t", cap_name[i], cap_list[i]);
        printf("flags: \t\t");
        cap_get_flag(cap, cap_list[i], CAP_EFFECTIVE, &cap_flags_value);
        printf(" EFFECTIVE %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        cap_get_flag(cap, cap_list[i], CAP_PERMITTED, &cap_flags_value);
        printf(" PERMITTED %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        cap_get_flag(cap, cap_list[i], CAP_INHERITABLE, &cap_flags_value);
        printf(" INHERITABLE %-4s ", (cap_flags_value == CAP_SET) ? "OK" : "NOK");
        printf("\n");
    }
}

My results:

  ====================Cap====================
cap_chown            0      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_dac_override     1      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE OK   
cap_dac_read_search  2      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_fowner           3      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_fsetid           4      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_kill             5      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_setgid           6      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_setuid           7      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_setpcap          8      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_linux_immutable  9      flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_net_bind_service 10     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_net_broadcast    11     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_net_admin        12     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_net_raw          13     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_ipc_lock         14     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_ipc_owner        15     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_module       16     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_rawio        17     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_chroot       18     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_ptrace       19     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_pacct        20     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_admin        21     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_boot         22     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_nice         23     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_resource     24     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_time         25     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_sys_tty_config   26     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_mknod            27     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_lease            28     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_audit_write      29     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_audit_control    30     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_setfcap          31     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_mac_override     32     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
cap_mac_admin        33     flags:       EFFECTIVE NOK   PERMITTED NOK   INHERITABLE NOK  
====================Test====================
cap_chown            0      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_dac_override     1      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE OK   
cap_dac_read_search  2      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_fowner           3      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_fsetid           4      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_kill             5      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_setgid           6      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_setuid           7      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_setpcap          8      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_linux_immutable  9      flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_net_bind_service 10     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_net_broadcast    11     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_net_admin        12     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_net_raw          13     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_ipc_lock         14     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_ipc_owner        15     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_module       16     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_rawio        17     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_chroot       18     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_ptrace       19     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_pacct        20     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_admin        21     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_boot         22     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_nice         23     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_resource     24     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_time         25     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_sys_tty_config   26     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_mknod            27     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_lease            28     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_audit_write      29     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_audit_control    30     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_setfcap          31     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_mac_override     32     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_mac_admin        33     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  
cap_syslog           34     flags:       EFFECTIVE OK    PERMITTED OK    INHERITABLE NOK  

Answer 1

Reading your program over you have two programs: app and test. The app code you provide looks like it is invoking test.o, but I'm going to refer to that program as test in my explanation.

Try doing this:

$ sudo setcap cap_dac_override=ep app
$ sudo setcap cap_dac_override=ei test

If you run ./test (as a regular user and not root) it will be launched with no privilege at all. Confusing, but this is how things work by design.

INHERITABLE file capabilities (=ei) are not privilege, but the potential for inheriting privilege. You can trigger that inheriting effect if you run ./app (as a regular user) it will start with the single cap_dac_override capability in its EFFECTIVE and PERMITTED sets (cap_dac_override=ep). Your app code will raise this single capability in the INHERITABLE process flag as well, to get a process with cap_dac_override=eip.

When app ends by executing ./test, the raised process INHERITABLE flag will combine with the file INHERITABLE flag on the test binary to run your code with privilege. Since it also has the EFFECTIVE file bit, this combination will cause the test program to execute with cap_dac_override=eip. Note, the =ep process capabilities of app are not inherited directly, but only =i bits are passed on through execl() and the rules for capability inheritance convert the file-I and the process-I into a post-execl() process-IP.

For code like this, which knows how to get and set capabilities from code, you don't really need to include the '=e.' part when adding file capabilities. All that is doing is forcing the capabilities to be EFFECTIVE as the program starts running. This feature was included so programs that don't know about capabilities can be made to run with less than full root privilege. It is good practice to use cap_set_flag() and cap_set_proc() to raise the EFFECTIVE capabilities you need only when you need them.