sandbox/init: clear inheritable set

Inheritable should not be able to affect anything regardless of its value, due to no_new_privs. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-03-26 07:46:13 +09:00
parent 18644d90be
commit d613257841
2 changed files with 11 additions and 2 deletions
--- a/test/test.py
+++ b/test/test.py
@@ -100,9 +100,11 @@ print(denyOutputVerbose)
 print(machine.fail("sudo -u alice -i fsu"))

 # Verify capabilities/securebits in user namespace:
+print(machine.succeed("sudo -u alice -i fortify run capsh --print"))
 print(machine.succeed("sudo -u alice -i fortify run capsh --has-no-new-privs"))
 print(machine.fail("sudo -u alice -i fortify run capsh --has-a=CAP_SYS_ADMIN"))
 print(machine.fail("sudo -u alice -i fortify run capsh --has-b=CAP_SYS_ADMIN"))
+print(machine.fail("sudo -u alice -i fortify run capsh --has-i=CAP_SYS_ADMIN"))
 print(machine.fail("sudo -u alice -i fortify run capsh --has-p=CAP_SYS_ADMIN"))
 print(machine.fail("sudo -u alice -i fortify run umount -R /dev"))