Process manager abilities

The io-pkt manager uses general and custom process manager abilities to protect the privileged operations required by networking components.

For an overview of process manager abilities, see “Process privileges” in the “Processes” chapter of the QNX Neutrino Programmer's Guide, and the entries for procmgr_ability() and iofunc_ability_check() in the C Library Reference.

General abilities

The general abilities govern which process operations io-pkt can do. Once io-pkt is up and running, you can use the qnx.kern.droproot sysctl command to tell it to stop running as root and run instead as the user that you specified with the -U option. At this point, io-pkt keeps the abilities that it needs and relinquishes the rest, but you can specify some additional abilities to retain if your networking driver needs them. On the command line, you can issue the sysctl command like this:

sysctl -w qnx.kern.droproot=value

The value is a hexadecimal number whose bits indicate which abilities io-pkt should keep, or 0 if you want io-pkt to continue to run as root. The QNX_DROPROOT_* flags are defined in <sys/iopkt_ability.h>:

Constant	Value	Keep this ability
QNX_DROPROOT_STD	0x0001	Drop root without keeping any additional abilities (keep the “standard” ones listed below)
QNX_DROPROOT_INTERRUPT	0x0002	PROCMGR_AID_INTERRUPT
QNX_DROPROOT_CONNECTION	0x0004	PROCMGR_AID_CONNECTION
QNX_DROPROOT_TIMER	0x0008	PROCMGR_AID_TIMER
QNX_DROPROOT_PROT_EXEC	0x0010	PROCMGR_AID_PROT_EXEC
QNX_DROPROOT_PATHSPACE	0x0020	Not used; io-pkt keeps PROCMGR_AID_PATHSPACE by default
QNX_DROPROOT_QNET	0x0040	PROCMGR_AID_QNET
QNX_DROPROOT_PUBLIC_CHANNEL	0x0080	PROCMGR_AID_PUBLIC_CHANNEL

By default, io-pkt retains the following abilities:

IOFUNC_ABILITY_DUP
IOFUNC_ABILITY_EXEC
IOFUNC_ABILITY_READ
PROCMGR_AID_KEYDATA
PROCMGR_AID_MEM_PHYS
PROCMGR_AID_PATHSPACE
PROCMGR_AID_PRIORITY

Custom abilities

In addition to using the general abilities, io-pkt sets up and uses some custom abilities to govern specific networking operations:

The io-pkt manager uses procmgr_ability_create() to create the abilities.
In your code, use procmgr_ability_lookup() to get an identifier for the abilities that you need. A process that has the ability can bestow it on another process by calling procmgr_ability().
On the command line, use the -A option for the on utility. For example:
```
on -u guest -Aallow,nonroot,able="network/interface/setpriv",inherit sh
```
The shell that you invoke the command from must already have the ability.
When you no longer need an ability, you should use procmgr_ability() to drop it.

The names of the abilities are defined in <sys/iopkt_ability.h>:

Constant	Value	Description
_IOPKT_ABILITY_NW_BIND_PRIVPORT	`network/bind/privport`	Controls the ability to bind a privileged port; required by rresvport()
_IOPKT_ABILITY_NW_INTERFACE_GETPRIV	`network/interface/getpriv`	Checks if retrieving privileged information from the device via ioctl() is permitted
_IOPKT_ABILITY_NW_INTERFACE_SETPRIV	`network/interface/setpriv`	Checks if setting privileged parameters on the device via ioctl() is permitted
_IOPKT_ABILITY_NW_ROUTE_SET	`network/route/set`	Mediates if routing related operations are permitted
_IOPKT_ABILITY_NW_SOCKET_RAWSOCK	`network/socket/rawsock`	Controls who can allocate and use raw sockets; required by utilities such as ping and ping6