Which Linux capability do I need in order to write to /proc/sys/vm/drop_caches?

The proc filesystem doesn't support capabilities, ACL, or even changing basic permissions with chmod. Unix permissions determine whether the calling process gets access. Thus only root can write that file. With user namespaces, that's the global root (the one in the original namespace); root in a container doesn't get to change sysctl settings.

As far as I know, the only solution to change a sysctl setting from inside a non-privileged namespace is to arrange a communication channel with the outside (e.g. a socket or pipe), and have the listening process run as root outside the container.


As an addendum to the accpted answer by Gilles: I managed to achieve my goal of writing to /proc/sys/vm/drop_caches (or to /proc in general, to be precise) in a much easier way when working with docker:

docker run -ti --rm -v /proc:/writable_proc ubuntu:vivid bash
# echo 3 > /writable_proc/sys/vm/drop_caches

That does it for my purpose.

Thank you very much for your helpful answer!