1 files changed, 18 insertions, 8 deletions

diff --git a/cap/convenience.go b/cap/convenience.go
index d604ad1..a31ac09 100644
--- a/cap/convenience.go
+++ b/cap/convenience.go
@@ -57,7 +57,7 @@ func (sc *syscaller) setSecbits(s Secbits) error {
 
 // Set attempts to force the process Secbits to a value. This function
 // will raise cap.SETPCAP in order to achieve this operation, and will
-// completely lower the Effective  vector of the process returning.
+// completely lower the Effective Flag of the process upon returning.
 func (s Secbits) Set() error {
 	state, sc := scwStateSC()
 	defer scwSetState(launchBlocked, state, -1)
@@ -75,6 +75,7 @@ const (
 	ModeNoPriv
 	ModePure1EInit
 	ModePure1E
+	ModeHybrid
 )
 
 // GetMode assesses the current process state and summarizes it as
@@ -82,6 +83,9 @@ const (
 // declared ModeUncertain.
 func GetMode() Mode {
 	b := GetSecbits()
+	if b == 0 {
+		return ModeHybrid
+	}
 	if b&securedBasicBits != securedBasicBits {
 		return ModeUncertain
 	}
@@ -101,12 +105,12 @@ func GetMode() Mode {
 
 	w := GetProc()
 	e := NewSet()
-	cf, _ := w.Compare(e)
+	cf, _ := w.Cf(e)
 
-	if Differs(cf, Inheritable) {
+	if cf.Has(Inheritable) {
 		return ModePure1E
 	}
-	if Differs(cf, Permitted) || Differs(cf, Effective) {
+	if cf.Has(Permitted) || cf.Has(Effective) {
 		return ModePure1EInit
 	}
 
@@ -141,6 +145,10 @@ func (sc *syscaller) setMode(m Mode) error {
 		return err
 	}
 
+	if m == ModeHybrid {
+		return sc.setSecbits(0)
+	}
+
 	if m == ModeNoPriv || m == ModePure1EInit {
 		w.ClearFlag(Inheritable)
 	} else if m != ModePure1E {
@@ -199,6 +207,8 @@ func (m Mode) String() string {
 		return "PURE1E_INIT"
 	case ModePure1E:
 		return "PURE1E"
+	case ModeHybrid:
+		return "HYBRID"
 	default:
 		return "UNKNOWN"
 	}
@@ -234,11 +244,11 @@ func (sc *syscaller) setUID(uid int) error {
 // all other variants of UID (EUID etc) to the specified value without
 // dropping the privilege of the current process. This function will
 // raise cap.SETUID in order to achieve this operation, and will
-// completely lower the Effective vector of the process before
+// completely lower the Effective Flag of the process before
 // returning. Unlike the traditional method of dropping privilege when
-// changing from [E]UID=0 to some other UID, this function only
-// performs a change of UID cap.SETUID is available, and the action
-// does not alter the Permitted Flag of the process' Set.
+// changing from [E]UID=0 to some other UID, this function only can
+// perform any change of UID if cap.SETUID is available, and this
+// operation will not alter the Permitted Flag of the process' Set.
 func SetUID(uid int) error {
 	state, sc := scwStateSC()
 	defer scwSetState(launchBlocked, state, -1)