1 files changed, 9 insertions, 0 deletions

diff --git a/runconuid/runconuid.cpp b/runconuid/runconuid.cpp
index 496d51f1..6438f7f0 100644
--- a/runconuid/runconuid.cpp
+++ b/runconuid/runconuid.cpp
@@ -34,6 +34,8 @@ with the specified group membership.
 #include <stdio.h>
 #include <stdlib.h>
 #include <signal.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -53,10 +55,17 @@ static char** child_argv = nullptr;
 }
 
 void do_child(void) {
+
   if (context && setexeccon(context) < 0) {
     perror_exit("Setting context to failed");
   }
 
+  // Disregard ambient capability failures, we may just be on a kernel
+  // that does not support them.
+  for (int i = 0; i < 64; ++i) {
+      prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0);
+  }
+
   if (ngroups && setgroups(ngroups, groups) < 0) {
     perror_exit("Setting supplementary groups failed.");
   }