On 2024-08-21 18:54, Simon McVittie wrote: > On Wed, 21 Aug 2024 at 18:03:03 +0200, Paride Legovini wrote: >> With 544a086e10a0192c5950c6211373219ee2227ead we introduced checking for >> capabilities when running the ChrootRunner tests; some more context is >> in the MR description [1]. >> >> However, looks like this prevents running tests where full root >> permissions are available. Looks like the cuprit it CAP_SYS_ADMIN >> not being INHERITABLE > > I thought these were the right capabilities masks, but perhaps not. > capabilities(7) always confuses me... perhaps instead of PERMITTED && > INHERITABLE, I should have been checking for PERMITTED && EFFECTIVE?
https://github.com/stevegrubb/libcap-ng/blob/master/README.md brings this example: 5. Check for a specific capability if (capng_have_capability(CAPNG_EFFECTIVE, CAP_CHOWN)) do_something(); So maybe in autopkgtest we just want this? have_cap_sys_admin = capng.capng_have_capability( capng.CAPNG_EFFECTIVE, capng.CAP_SYS_ADMIN, ) capabilities(7) says that "Permitted [...] is a limiting superset for the effective capabilities that the thread may assume", so checking for PERMITTED && EFFECTIVE should be the same as checking for EFFECTIVE, but I may be misunderstanding the manpage here. -- Paride