There does not appear to be support for CAP_BLOCK_SUSPEND and CAP_AUDIT_READ. Also, the existing implementation of 'limit' does not remove these newer capabilities. This is an error because, strictly speaking, it doesn't "Drop all but the given capabilities from the set." This could be considered a security risk, because someone might be relying on this behavior.

Going forward, you might be able to modify the code behind limit to submit (to the kernel) capability numbers greater than the greatest known number. (For example, try dropping all capabilities between 0 and 200, except for those provided to limit.) Additionally, it would be nice if the user could submit capabilities to 'drop' greater than the highest known capability at time of compile.

Thanks, fixed in 60e3fab

@seveas, this doesn't fix the issue as I described it. Sure it is fixed right now, but as new capabilities are added, this library, for some portion of time, will not be. This means that when someone calls "limit", it still will not behave as documented and "Drop all but the given capabilities from the set.". As implemented, this is still a security risk (unless you made another relevant commit which you didn't reference here).

Also, I requested above that the user be able to drop capabilities by number for capabilities that are not known yet.

Being able to pass random values is not a good idea, as is the currently silent failure, agreed. I came up with 103d825, which is much more explicit about such known-but-unnamed caabilities.