libcap-ng-0.9.1

This release fixes a few problems in cap-audit. It adds a --tree option to pscap. And captest is now deprecated. If you really want it, pass --enable-deprecated to configure.

libcap-ng-0.9

This release contains a significant new utility, cap-audit. Its purpose is to audit the use of capabilities of a target program. When the program ends or Ctl-c stops it, a report is generated about what was used. This can then be used to lower capabilities instead of running as root. Other changes in the release include:

• Fix python path when invoking py-compile (Jan Palus)
• Drop python2 bindings (Rudi Heitbaum)
• Optimize capability name translation lookups

libcap-ng-0.8.5

This release fixes building python bindings due to deprecated global exception handler. The utilities were corrected to link against the just built libraries.

libcap-ng-0.8.4

In capng_change_id, clear PR_SET_KEEPCAPS if returning an error, in pscap add -p option for reporting a specified process, annotate function prototypes to warn if results are unused, drop python2 support.

libcap-ng-0.8.3

Fix capng_updatev python bindings to work as documented. Detect capability options at runtime to make containerization easier. Initialize the library when linked statically.

libcap-ng-0.8.2

In capng_apply, continue changing capabilities when faced with an error in the bounding set to cover the possibility that someone does not check the return codes and doesn't realize they have full capabilities when they should have been dropped. This release also improves the runtime detection of the last valid capability. And if PR_CAP_AMBIENT is not available, do not build libdrop_ambient.

libcap-ng-0.8.1

This is a bug fix release. See the changelog for details. This release adds libdrop_ambient which can be LD_PRELOAD'ed to any application that inherits ambient capabilities to force it to drop ambient capabilities so they don't leak everywhere. This is particularly useful if you see a daemon using systemd's capabilities facility since that is how it bestows capabilities on a process. But its up to the process to drop them. Not all do.

Only other thing to be aware of is that capng_apply is now more aggressive with returning errors. This means that code that was "working fine" may now have an error. But the reality was that it was silently failing unknown to it. I have only seen one problem and filed an upstream issue. But be aware in case there are more.

libcap-ng-0.8

This release adds support for ambient capabilities and V3 filesystem capabilities. A bug in the python bindings was also fixed which prevented use of capng_updatev.

Please help test the new features and report any bugs

libcap-ng-0.7.11

This is a bug fix release. Found that in some cases bounding set was not being cleared across a id change when requested. Also, now does not need malloc in capng_apply to prevent application hangs. If procfs is not available, get bounding set via prctl. Added support for CAP_PERFMON, CAP_BPF, & CAP_CHECKPOINT_RESTORE.

libcap-ng-0.7.10

This release adds capng_have_permitted_capabilities() function, filecap outputs which set the capabilities are in, filecap doesn't output an error when a file has no capabilities, added udplite support to netcap, fixed usage of pthread_atfork, and mark processes in child user namespaces with *