I see kernel code security/commoncap.c cap_capset function, it only verifies the new_Effective is a subset of the new_Permitted. It doesn't verify whether the new_Inheritable is a subset of the new_Permitted. I found it when I cleanup ltp capset02 test code. Signed-off-by: Yang Xu <xuyang2018.jy@xxxxxxxxxxxxxx> --- man2/capget.2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/man2/capget.2 b/man2/capget.2 index 94d38d877..6cad3d5d8 100644 --- a/man2/capget.2 +++ b/man2/capget.2 @@ -195,8 +195,7 @@ One of the arguments was invalid. .TP .B EPERM An attempt was made to add a capability to the Permitted set, or to set -a capability in the Effective or Inheritable sets that is not in the -Permitted set. +a capability in the Effective sets that is not in the Permitted set. .TP .B EPERM The caller attempted to use -- 2.18.0
