Ability domains

The process manager supports PROCMGR_ADN_ROOT and PROCMGR_ADN_NONROOT flags that indicate which domain an ability applies to.

These flags let a process further limit what actions can be carried out depending on its effective user ID:

Modify the ability of the process when it isn't running as root.
Modify the ability of the process when it's running as root.

The following example shows how you can retain a specific ability for your process, before dropping root privileges. In the following example, the PROCMGR_AID_PATHSPACE ability is being allowed for non-root users:

procmgr_ability( 0, PROCMGR_ADN_NONROOT
                      | PROCMGR_AOP_ALLOW
                      | PROCMGR_AID_PATHSPACE,
setreuid(new_user, new_user);
setregid(new_group, new_group);