From the manual:
P'(ambient) = (file is privileged) ? 0 : P(ambient)
It is possible for a process to gain privileges from its parent.
P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset) | P'(ambient)
It is possible for a process to gain privileges from a file, if its inheritable set has them, or its cap_bset has them.
P'(effective) = F(effective) ? P'(permitted) : P'(ambient) P'(inheritable) = P(inheritable) [i.e., unchanged]
It gets its inherited set from its parents
where: P denotes the value of a thread capability set before the execve(2) P' denotes the value of a thread capability set after the execve(2) F denotes a file capability set cap_bset is the value of the capability bounding set (described below). … Note that the bounding set masks the file permitted capabilities, but not the inheritable capabilities. If a thread maintains a capability in its inheritable set that is not in its bounding set, then it can still gain that capability in its permitted set by executing a file that has the capability in its inheritable set.
You also need to remove from inheritable set
Therefore remove privileges from the root process (init): remove privileges from cap_bset, inheritable, permitted, and effective.
init, should drop the capabilities that are not needed, before forking: now the only way to increase capability is to have an executable file with its permitted set grater than the current effective set.