1. prctl (SET AMBIENT and bounding set)
#includeint prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); PR_CAP_AMBIENT (since Linux 4.3) Reads or changes the ambient capability set of the calling thread, according to the value of arg2, which must be one of the following: PR_CAPBSET_DROp (since Linux 2.6.25) If the calling thread has the CAP_SETPCAP capability within its user namespace, then drop the capability specified by arg2 from the calling thread's capability bounding set. Any children of the calling thread will inherit the newly reduced bounding set. cap_set_drop(int capvalue) prctl(PR_CAPBSET_DROP, capvalue, 0, 0, 0);
2. SET keep flag
PR_SET_KEEPCAPS (since Linux 2.2.18)
Set the state of the calling thread's "keep capabilities" flag. The effect of this flag is described in capabilities(7). arg2 must be either 0 (clear the flag) or 1 (set the flag). The "keep capabilities" value will be reset to 0 on subsequent calls to execve(2).
