Implementing Ambient Capabilities

Capabilities allow Linux processes to drop most root-like privileges, while retaining the subset of privileges that they require to perform their function. The original implementation of capabilities made it impossible for fork+exec'd processes to inherit capabilities unless the files being executed had file capabilities configured. File capabilities, in turn, present a security risk since any process executing a file with file capabilities will be able to gain those capabilities.

Ambient capabilities allows system services to configure capabilities in their .rc files, bringing all their configuration into a single file, instead of having to split capabilities configuration to the fs_config.c file.

Reference implementation

The reference implementation is the Android common kernel

Required patches

Required patches have been backported to all the relevant Android common kernel branches.

The main ambient capabilities patch has been backported in:

A small security fix has been backported in:

A memory leak fix, needed for kernels < 3.18, has been backported in:


Bionic unit tests include unit tests for ambient capabilities. Beyond that, using the "capabilities" keyword in Android init for a service, and then checking that the service gets the expected capabilities would allow for runtime testing of this feature.