unshare.c open codes some logic to copy the permitted capability set to the
ambient set in order to implement the --keep-caps option. Move this logic
to lib/caputils.c so that we can reuse it in nsenter.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Let's split the code to make it possible to test separately bsearch as
well as procfs based cap_last_cap().
$ ./test_caputils --last-by-bsearch
last cap: 39
$ ./test_caputils --last-by-procfs
last cap: 39
$ ./test_caputils --last
last cap: 39
Signed-off-by: Karel Zak <kzak@redhat.com>
This allows the rest of the programs using cap_last_cap to trust the
value returned by it, since it will either be obtained from procfs
(straight from kernel) or with prctl.
Also checked if the file under /proc is actually mounted in a procfs.
Add the --keep-caps option to unshare to preserve capabilities that
are granted when creating a new user namespace. This allows the child
process to retain privilege within the new user namespace without also
being UID 0.
