Comment # 6 on bug 1177499 from Anthony Iliopoulos

(In reply to Michal Suchanek from comment #5)
> Replacing the command with dumpcap from wireshark does not work either - the
> test fails with EPERM
> 
> 'dumpcap', '-i', 'lo', '-a', 'duration:1'

that's because dumpcap is by default installed with 0750/-rwxr-x--- perms, and
I presume the test user doesn't belong to the "wireshark" group.

you can try to reproduce the ping issue to confirm that the prctl is
functioning as expected:

# restrict unprivileged icmp socket creation
echo 1 0 | sudo tee /proc/sys/net/ipv4/ping_group_range

dev@localhost:~> ping -c1 localhost                                             
PING localhost(localhost (::1)) 56 data bytes                                   
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.049 ms                  

--- localhost ping statistics ---                                               
1 packets transmitted, 1 received, 0% packet loss, time 0ms                     
rtt min/avg/max/mdev = 0.049/0.049/0.049/0.000 ms                               

dev@localhost:~> setpriv --nnp ping -c1 localhost                               
ping: socket: Operation not permitted                                           

Anyway, I'd assume that relying on a package binary that is expected to have
filecaps may not be the most reliable method for testing this. 

It's probably best to have a test.c that prints its own cap bits (via libcap),
that gets compiled and has some cap bits set on it (which is a problem I
suppose since it requires root), or just make this binary into an rpm package
as a dependency.