Create a hello world binary.

Give it linux capabilities e.g. with setcap command.

valgrind the binary with caps.

It will fail.:

#include <stdio.h>
int main() { printf("Hello.\n"); return 0; }

***@devuan:~/test3$ gcc main.c
***@devuan:~/test3$ sudo su
***@devuan:/home/user/test3# setcap "cap_net_admin+eip" ./a.out
***@devuan:/home/user/test3# exit
exit

***@devuan:~/test3$ valgrind ./a.out
==19376==
==19376== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19376== Possible workaround: remove --trace-children=yes, if in effect
==19376==
valgrind: ./a.out: Permission denied

Even root can't valgrind it:

***@devuan:~/test3$ sudo valgrind ./a.out
==19385==
==19385== Warning: Can't execute setuid/setgid/setcap executable: ./a.out
==19385== Possible workaround: remove --trace-children=yes, if in effect
==19385==
valgrind: ./a.out: Permission denied


So how to?

Afair I tried also giving SUID flags, and all CAPs to valgrind* and it's /lib/ binaries and all, but nothing worked.


Is it required to hack the kernel to remove this restriction?
What is the root cause?