legacy: gracefully handle missing sets and capabilities

[lucab]

Capturing my previous comment from #2 (comment).

This is a placeholder ticket, I will detail the scope of problem a bit more after initial investigation.

[lucab]

The first step in this direction happened in #14.

[Alex-Rockliff]

Unless I am reading the implementation wrong (possible) it seems like this crate is missing the functionality for handling the case where a newer kernel introduces capabilities this crate doesn't know about. Clearing all the caps except those that you need has to be done by dropping each cap individually, which requires this crate to know about the cap in order to drop it.

capctl does handle this, and to me it seems like it'd be a pretty simple function to add here too: https://docs.rs/capctl/latest/capctl/#handling-of-newly-added-capabilities

[lucab]

@Alex-Rockliff please note that this ticket is about the opposite topic, i.e. this crate having more cap-entries defined than those available on legacy kernels. To the best of my understanding, this crate is on par with current Linux kernel (and historically has always been updated in sync), but the scenario you mention may certainly arise in the future. It may be worth opening a dedicated ticket with more details about your concerns.

Clearing all the caps except those that you need has to be done by dropping each cap individually, which requires this crate to know about the cap in order to drop it.

I think this is not generally true, but I may have misunderstood your comment.
(Unless you are specifically talking about caps::set(..., Ambient, ...), which I agree can be tweaked).
It would be better to have a dedicated ticket with the actual code references you are looking at.