This was first reported as https://bugzilla.redhat.com/show_bug.cgi?id=2062648 The glibc wrapper prctl() returns -1 and sets the errno in case of error. In various functions libcap overwrites the errno value using the value returned by prctl(), making all errors to be reported as EPERM (which is 1). For example in cap_proc.c: int cap_get_bound(cap_value_t cap) { int result; result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0)); if (result < 0) { errno = -result; return -1; } return result; }
This was addressed via https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=f25a1b7e69f7b33e6afb58b3e38f3450b7d2d9a0 which appeared in libcap-2.63.
Wait, this is something else... Let me look closer.
Fixed with: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=15cacf20709c6917c798e298a1e087c0663e5c13 this will be included in libcap-2.64.