Ability ranges

The procmgr_ability() function also lets you specify subranges for specific abilities. This is useful for limiting certain abilities to the smallest number of privileges possible.

For example, the PROCMGR_AID_SPAWN_SETUID and PROCMGR_AID_SPAWN_SETGID abilities allow a process to supply specific abilities to a spawned process. Imagine you have a process that needs to spawn child processes that will run with a group other than those of the process. To accomplish this task, the process must obtain one of these abilities. However, the process shouldn't be allowed to simply set arbitrary UIDs and GIDs, or else it might be able to elevate its own privileges. It's possible to supply a subrange that limits what specific user or group identifiers can be supplied.

The following example shows how you can provide a specific subrange to a requested ability:

                PROCMGR_ADN_NONROOT           // Non-root domain
                  | PROCMGR_AOP_ALLOW         // Allow the ability
                  | PROCMGR_AOP_SUBRANGE      // Limit ability to a subrange
                  | PROCMGR_AID_SPAWN_SETUID, // Requested ability
                (uint64_t)800, (uint64_t)899, // Subrange for ability
                PROCMGR_AID_EOL               // End of ability list

In this case, the PROCMGR_AID_SPAWN_SETUID ability is being requested, indicated by the PROCMGR_AOP_ALLOW flag, for user IDs in the range from 800 through 899, as indicated by the PROCMGR_AOP_SUBRANGE flag. The PROCMGR_ADN_NONROOT domain indicates that the process wishes to use this ability when it isn't running as root.

We recommend that you limit the subranges requested to as small a set as possible, and include only those values that will explicitly be required.