From 1bdd9843dfaadb6effdaebb1695f6a3e5ccf5b13 Mon Sep 17 00:00:00 2001
From: Robert Swiecki <robert@swiecki.net>
Date: Sun, 1 Oct 2017 05:38:26 +0200
Subject: [PATCH] caps: call prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)
 early

---
 caps.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/caps.c b/caps.c
index 466361a..ce5db23 100644
--- a/caps.c
+++ b/caps.c
@@ -224,8 +224,16 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
 	if (cap_data == NULL) {
 		return false;
 	}
+
 	/* Let's start with the empty inheritable set to avoid any mistakes */
 	capsClearInheritable(cap_data);
+	/*
+	 * Remove all capabilities from the ambient set first. It works with newer kernel version only,
+	 * so don't fail if it fails
+	 */
+	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
+		PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
+	}
 
 	if (nsjconf->keep_caps) {
 		return CapsInitNsKeepCaps(cap_data);
@@ -270,9 +278,6 @@ bool capsInitNs(struct nsjconf_t * nsjconf)
 
 	/* Make sure inheritable set is preserved across execve via the modified ambient set */
 	dbgmsg[0] = '\0';
-	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
-		PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
-	}
 	TAILQ_FOREACH(p, &nsjconf->caps, pointers) {
 		if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)p->val, 0UL, 0UL) ==
 		    -1) {