Embedding capabilities into a program binary

We have understood that the fine granularity of the capabilities model is a major security advantage over the old-style root only or setuid-root approach. So, back to our fictional packcap program: We would like to use capabilities, and not the setuid-root. So, lets say that, upon careful study of the available capabilities, we conclude that we would like the following capabilities to be endowed into our program:

  • CAP_NET_ADMIN
  • CAP_NET_RAW

Looking up the man page on credentials(7) reveals that the first of them gives a process the ability to perform all required network administrative asks; the second, the ability to use "raw" sockets.

But how exactly does the developer embed these required capabilities ...

Get Hands-On System Programming with Linux now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.