How Linux Capabilities relate to zero/non-zero UID?

Question

The capabilities manpage is rather long and I do not fully understand some things.

How would look, for example, a function that decides whether we have access to CAP_NET_RAW?

Input:

• a = Effective uid is 0
• b = There are some real/saved/whatever uid that is 0
• c = CAP_NET_RAW is +e
• d = CAP_NET_RAW is +i
• e = CAP_NET_RAW is +p
• f = CAP_NET_RAW is excluded from the "bounding set"

Output:

• x = we can now call socket and not get EPERM
• y = after some trickery (not involving filesystem-based chmod +s or setcap access elevations or connecting to external helpers), e.g. with capsetp we can finally allow ourselves to open the raw socket.

As I currently understand it is something like this:

• x = !f && (a || c)
• y = !f && (b || a || c || e)

How is it in reality?

Answer 1

Read the docs a bit more, now it seems like it is this:

x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve

I.e.

• Zero/nonzero uid is only meaningful when it changes and "root hacks" are active;
• Only effective capabilities are used for checks; everything else is capability management;
• Bounding set and inherited capabilities are about execve => out of scope for this answer.