Add new capabilities, ignore unsupported caps for bounding set

diff --git a/caps.cc b/caps.cc
index d05286cb4f061cbd2f608df43b97a213c01969ee..c23268a84fb84fcc38f787dbe20db70e164b9321 100644 (file)
--- a/caps.cc
+++ b/caps.cc
@@ -80,6 +80,15 @@ struct {
 #if defined(CAP_AUDIT_READ)
     NS_VALSTR_STRUCT(CAP_AUDIT_READ),
 #endif /* defined(CAP_AUDIT_READ) */
+#if defined(CAP_BPF)
+    NS_VALSTR_STRUCT(CAP_BPF),
+#endif /* defined(CAP_BPF) */
+#if defined(CAP_PERFMON)
+    NS_VALSTR_STRUCT(CAP_PERFMON),
+#endif /* defined(CAP_PERFMON) */
+#if defined(CAP_CHECKPOINT_RESTORE)
+    NS_VALSTR_STRUCT(CAP_CHECKPOINT_RESTORE),
+#endif /* defined(CAP_CHECKPOINT_RESTORE) */
 };
 
 int nameToVal(const char* name) {
@@ -247,6 +256,11 @@ bool initNs(nsjconf_t* nsjconf) {
                        if (getInheritable(cap_data, i.val)) {
                                continue;
                        }
+                       if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) ==
+                               -1 && errno = EINVAL) {
+                               LOG_D("Skipping unsupported capability: %s", i.name.c_str());
+                               continue;
+                       }
                        dbgmsg.append(" ").append(i.name);
                        if (prctl(PR_CAPBSET_DROP, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1) {
                                PLOG_W("prctl(PR_CAPBSET_DROP, %s)", i.name);