Procmgr abilities

The QNX Neutrino RTOS supports procmgr abilities, process-manager settings that govern which operations a particular process is permitted to do.

A privileged process can obtain these abilities before dropping root privileges, which lets it retain some functionality that historically would have been restricted to root. Furthermore, procmgr abilities can be locked, meaning that even root users can't carry out certain actions that they might historically have been able to. This change significantly reduces the attack surface of the system, even when dealing with a root process.

We recommend that you use the procmgr ability model wherever possible, retaining specific abilities, and dropping and locking whatever isn't explicitly required. Once you've used the retained abilities, you should drop and lock them if they're no longer necessary. A number of simple examples of ability retention and locking are included in the following sections.

You can adjust procmgr abilities by calling procmgr_ability(). This function is typically used by services that start as root and need to retain certain capabilities before dropping privileges.

The procmgr_ability() function takes as its first argument a process ID, or 0 to indicate the calling process. It's followed by a variable number of arguments, each of which consists of a set of flags that indicate:

The list of abilities must be terminated by an argument that includes the PROCMGR_AID_EOL flag.