Linux 2.6.26 is out, which means that a complete Linux capabilities implementation has finally arrived, since we now have:
- The ability to attach capability sets to files (added in 2.6.24), so that a process can acquire capabilities during an execve(2).
- A CAP_SETPCAP capability with the proper semantics (since 2.6.25).
- A per-thread capability bounding set (added in 2.6.25).
- The per-thread securebits flags (added in 2.6.26), which can be used to restrict a thread and its children to a pure capabilities-only environment (i.e., one in which there is no special treatment of UID 0).
(2012-02-20: updated link to Serge Hallyn's article.)