Dropping an ability

You can drop an ability that your application doesn't need at all, or that it no longer needs.

Here's an example:

procmgr_ability(0,
                PROCMGR_ADN_NONROOT           // Non-root domain
                  | PROCMGR_AOP_DENY          // Drop the ability
                  | PROCMGR_AOP_LOCK          // Prevent further changes
                  | PROCMGR_AID_SPAWN_SETUID, // Specified ability
                PROCMGR_AID_EOL               // End of ability list
);

If the application will never again need the ability, you should also specify the PROCMGR_AOP_LOCK flag when you drop it.

If your application has all the abilities that it needs, we recommend that you explicitly deny and lock all other abilities by setting special flags on the PROCMGR_AID_EOL entry that finishes the procmgr_ability() parameter list:

procmgr_ability(0,
                PROCMGR_ADN_NONROOT  // Non-root domain
                  | PROCMGR_AOP_DENY // Drop the ability
                  | PROCMGR_AOP_LOCK // Prevent further changes
                  | PROCMGR_AID_EOL  // End of ability list.
);

If you OR PROCMGR_AID_EOL with additional flags, procmgr_ability() traverses the entire list and applies those flags to any unlocked abilities that you didn't specify in the arguments to the function.