On Fri, 6 Mar 2015, Serge E. Hallyn wrote: > Sorry, something about that patch-patch didn't make sense to me, but I > need to look more closely. My objection was that you were able to get the > pA capabilities into pP without them being in your pI. Your proposed > change didn't seem like it would fix that. Just tried to fix that. Could it be that cap_inherited is never set even for a binary that has christoph@fujitsu-haswell:~$ getcap ambient_test ambient_test = cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_nice+eip I added some printks and it seems that current_cred()->cap_inherited is not set when running ambient_test. Index: linux/security/commoncap.c =================================================================== --- linux.orig/security/commoncap.c 2015-03-06 11:05:10.802218196 -0600 +++ linux/security/commoncap.c 2015-03-06 12:50:38.424330679 -0600 @@ -456,6 +456,10 @@ static int get_file_caps(struct linux_bi kernel_cap_t relevant_ambient = cap_intersect( current_cred()->cap_ambient, current_cred()->cap_inheritable); + printk("task->comm %s: Amb=%x Inh=%x relevant=%x\n", + current->comm, current_cred()->cap_ambient.cap[0], + current_cred()->cap_inheritable.cap[0], + relevant_ambient.cap[0]); rc = 0; if (!cap_isclear(relevant_ambient)) { /* Mar 6 12:42:18 fujitsu-haswell kernel: [ 284.715051] task->comm ambient_test: Amb=803000 Inh=0 relevant=0 -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html