From bcb467dde4d8db718fc5842da1344b73e4819de2 Mon Sep 17 00:00:00 2001
From: Wiktor Garbacz <wiktorg@google.com>
Date: Wed, 27 Jan 2021 14:37:12 +0100
Subject: [PATCH] Add new capabilities, ignore unsupported caps for bounding
 set

---
 caps.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/caps.cc b/caps.cc
index d05286c..c23268a 100644
--- a/caps.cc
+++ b/caps.cc
@@ -80,6 +80,15 @@ struct {
 #if defined(CAP_AUDIT_READ)
     NS_VALSTR_STRUCT(CAP_AUDIT_READ),
 #endif /* defined(CAP_AUDIT_READ) */
+#if defined(CAP_BPF)
+    NS_VALSTR_STRUCT(CAP_BPF),
+#endif /* defined(CAP_BPF) */
+#if defined(CAP_PERFMON)
+    NS_VALSTR_STRUCT(CAP_PERFMON),
+#endif /* defined(CAP_PERFMON) */
+#if defined(CAP_CHECKPOINT_RESTORE)
+    NS_VALSTR_STRUCT(CAP_CHECKPOINT_RESTORE),
+#endif /* defined(CAP_CHECKPOINT_RESTORE) */
 };
 
 int nameToVal(const char* name) {
@@ -247,6 +256,11 @@ bool initNs(nsjconf_t* nsjconf) {
 			if (getInheritable(cap_data, i.val)) {
 				continue;
 			}
+			if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) ==
+				-1 && errno = EINVAL) {
+				LOG_D("Skipping unsupported capability: %s", i.name.c_str());
+				continue;
+			}
 			dbgmsg.append(" ").append(i.name);
 			if (prctl(PR_CAPBSET_DROP, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1) {
 				PLOG_W("prctl(PR_CAPBSET_DROP, %s)", i.name);
-- 
2.34.1