28 Mar
2013
28 Mar
'13
6:09 a.m.
That seems like a kernel flaw - it makes sense that you can't _add_ capabilities without CAP_SETPCAP, but being unable to _drop_ capabilities without first acquiring a capability seems backwards.
You cannot add capabilities to the bounding set at all. It is a one-way street. /me learned a lot of things while writing these two patches. In fact, capng_apply(CAPNG_SELECT_BOUNDS) will never fail, but I preferred to be conservative in patch 1 just in case this changes in the future.
Hmm, this seems like we may want it for 1.0.4
I do not think so, there should not be any cases right now where unprivileged libvirt calls a setuid helper. Paolo