fork and execve to inherit unprivileged parent process' capabilities

Question

In Linux system, an unprivileged user launches a program. The process created has the capabilities CAP_NET_RAW,CAP_NET_ADMIN with mode as effective,permitted,inheritable. This process then creates a child process by calling fork and execv to invoke another program udhcpc, but the child process does not inherit the capabilities CAP_NET_RAW,CAP_NET_ADMIN as expected. Even though before setting the capabilities I have called prctl(PR_SET_KEEPCAPS, 1).

Any suggestion on what to do to inherit unprivileged parent process' capabilities upon fork followed by execve?

Answer 1

On execve(), the file capability sets of the file being executed (in this case, udhcpc) are inspected and combined with the thread's capability sets. In particular, the file's Inheritable set is AND-ed with the thread's Inheritable set to determine the new Permitted set, and the file's Effective bit must be set in order for the new Effective set to be copied from the Permitted set.

This implies that in your case you must use setcap cap_net_raw,cap_net_admin=ei /path/to/udhcpc to obtain the effect you want (in addition to setting the capabilities in the parent process - the prctl() is not necessary).

Answer 2

According to "The Linux Programming Interface" by Michael Kerrisk (No Starch Press, 2010):

Since kernel 2.6.24, it is possible to attach capabilities to a file. Various other features were added in kernels 2.6.25 and 2.6.26 in order to complete the capabilities implementation.

The tools sucap and execcap are what you should look up. However they are, if I recall limited to restricting, not granting capabilities. Look at :

http://www.linuxjournal.com/article/5737

and

http://lkml.indiana.edu/hypermail/linux/kernel/0503.1/2540.html