securebits: add support for keepcaps flag

[lucab]

This adds initial support for securebits, starting from GET_KEEPCAPS and SET_KEEPCAPS.

Closes: https://github.com/lucab/caps-rs/issues/26

[lucab]

@kpcyrd can you please give this a run in your consumer and double-check that I didn't overlook anything?

[kpcyrd]

Just tested and I was able to persist capabilities over an setuid, +1 :)

 [%]> id
uid=0 euid=0 suid=0 gid=0 egid=0 sgid=0 groups=[0]
 [%]> caps -e
{CAP_NET_BROADCAST, CAP_SYSLOG, CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, CAP_IPC_LOCK, CAP_CHOWN, CAP_SYS_RESOURCE, CAP_SYS_BOOT, CAP_IPC_OWNER, CAP_AUDIT_WRITE, CAP_LEASE, CAP_SYS_MODULE, CAP_NET_RAW, CAP_SETUID, CAP_SETFCAP, CAP_FSETID, CAP_MKNOD, CAP_SYS_PACCT, CAP_NET_ADMIN, CAP_SETGID, CAP_MAC_OVERRIDE, CAP_SYS_TTY_CONFIG, CAP_DAC_OVERRIDE, CAP_LINUX_IMMUTABLE, CAP_FOWNER, CAP_SYS_CHROOT, CAP_SYS_RAWIO, CAP_SYS_TIME, CAP_AUDIT_CONTROL, CAP_SYS_PTRACE, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, CAP_DAC_READ_SEARCH, CAP_SYS_NICE, CAP_AUDIT_READ, CAP_KILL, CAP_SETPCAP, CAP_MAC_ADMIN}
 [%]> keepcaps 
off
 [%]> keepcaps on
 [%]> setuid 1000
 [%]> id
uid=1000 euid=1000 suid=1000 gid=0 egid=0 sgid=0 groups=[0]
 [%]> caps
{CAP_LINUX_IMMUTABLE, CAP_AUDIT_READ, CAP_SYS_RESOURCE, CAP_AUDIT_WRITE, CAP_SYS_TIME, CAP_SYS_PTRACE, CAP_SYS_CHROOT, CAP_SYSLOG, CAP_MAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_KILL, CAP_WAKE_ALARM, CAP_NET_RAW, CAP_BLOCK_SUSPEND, CAP_LEASE, CAP_SYS_ADMIN, CAP_NET_BROADCAST, CAP_SYS_PACCT, CAP_SETUID, CAP_SYS_NICE, CAP_CHOWN, CAP_MKNOD, CAP_NET_ADMIN, CAP_SETPCAP, CAP_AUDIT_CONTROL, CAP_SYS_MODULE, CAP_SYS_BOOT, CAP_FOWNER, CAP_SYS_RAWIO, CAP_NET_BIND_SERVICE, CAP_MAC_ADMIN, CAP_SETGID, CAP_IPC_LOCK, CAP_SYS_TTY_CONFIG, CAP_SETFCAP, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_IPC_OWNER}
 [%]> caps -e
{}
 [%]> caps -re CAP_SETUID
 [%]> caps -e
{CAP_SETUID}
 [%]> setuid 0
 [%]> id
uid=0 euid=0 suid=0 gid=0 egid=0 sgid=0 groups=[0]
 [%]> 

I ran into #28 while testing, which seems unrelated.

[lucab]

Ack, thanks. I'll merge this and then look at #28 separately.