Attempt to elevate to chroot capabilities but fails, WHY?

Question

In order to execute

must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))

I need to grant SYS_CHROOT capability to the process as follows :

    // Temporarily add SYS_CHROOT capability
    if err := c.SetFlag(cap.Effective, true, cap.SYS_CHROOT); err != nil {
        log.Fatalf("Failed to set capability: %v", err)
    }

    // Re-check the capabilities (SYS_CHROOT should now be effective)
    c = cap.GetProc()
    log.Printf("this process has these caps: %s", c)

    // Check if the capability is granted
    if on, _ := c.GetFlag(cap.Permitted, cap.SYS_CHROOT); !on {
        log.Fatalf("Insufficient privilege to execute syscall.Chroot - required capability not granted")
    }

    // Execute the syscall.Chroot operation
    must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))

    // Remove SYS_CHROOT capability
    if err := c.SetFlag(cap.Effective, false, cap.SYS_CHROOT); err != nil {
        log.Fatalf("Failed to remove capability: %v", err)
    }

But I get exit:status 1 Insufficient privilege to execute syscall.Chroot - required capability not granted, which means the process hasn't been granted chroot capabilities. Any clue on what could be the problem ?

Answer 1

The c.SetFlag(...) call only raises the effective bit in the c capability Set. You also need to apply that cap.Set to the process with c.SetProc():

if err := c.SetProc(); err != nil {
        log.Fatalf("Failed to apply capabilities, %q: %v", c, err)
}