I am strace-ing a process that fails over a call to capset.
To make sure that the process has the correct capabilities I added a capget just before the capset.
The result of strace is now:
[pid 27909] capget(
{version=_LINUX_CAPABILITY_VERSION_3, pid=0},
{effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_SYS_ADMIN,
permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_SYS_ADMIN,
inheritable=0}) = 0
[pid 27909] capset(
{version=_LINUX_CAPABILITY_VERSION_3, pid=0},
{effective=1<<CAP_SETUID,
permitted=1<<CAP_SETUID,
inheritable=0}) = -1 EPERM (Operation not permitted)
So the process has some capabilities, including CAP_SETUID in both the effective and permitted set.
Now we try to set the effective and permitted set of capabilities to to CAP_SETUID.
And I don't understand why this is failing.
We are basically dropping all the capabilities but one, whats wrong with it?
It was a seccomp filter running.
Unfortunately I could not find a better way to deal with this kind of issues beside thinking hard about it and hope to not miss anything.