capng_updatev - Linux


capng_updatev modifies the capabilities for a specified process or files. It’s primarily used to adjust access privileges or enhance security by modifying the capability bounding set associated with entities.


capng_updatev -c <capability>... [-p] pid | -e executable [-E <context>] [-t type]...


  • -c <capability>: Capability(ies) to add or remove. Prefix with + or - to indicate action.
  • -p <pid>: Process ID of the target process.
  • -e <executable>: Executable file to modify.
  • -E <context>: Execution context: task, ambient, or current (default: task).
  • -t <type>: Type of capabilities to modify: ambient, effective, inheritable, or permitted.


Add Capability to Process

capng_updatev -c +CAP_NET_ADMIN -p 1234

Remove Capability from File

capng_updatev -c -CAP_CHOWN -e /path/to/file

Modify Capabilities in Ambient Context

capng_updatev -c +CAP_USB -E ambient -e /usr/bin/program

Common Issues

  • Permission Denied: Ensure you have sufficient privileges to modify capabilities.
  • Capability Not Supported: Check if the specified capability is supported by the kernel.
  • File Not Found: Verify that the executable or file exists.


  • BPF: Use capng_updatev in BPF programs to dynamically adjust capabilities for security hardening.
  • Sandboxing: In conjunction with tools like seccomp, capng_updatev can create restricted environments by limiting capabilities.

Related Commands