| Updated: April 19, 2023 |
Some abilities may have one or more subranges associated with that ability that further refine how the ability is granted:
Every ability has a name which is used in security policies and in the output of tools such as pidin and secpolgenerate. When used programmatically with functions such as procmgr_ability() and ConnectClientInfoAble(), the equivalent numeric ID must be used instead.
For static abilities, each ability has a symbolic constant whose name is formed by adding PROCMGR_AID_ to the ability name in uppercase. For example, to specify the able_create ability, you would used PROCMGR_AID_ABLE_CREATE.
For custom abilities, the numeric ID is looked up by passing the ability name to either of the functions procmgr_ability_lookup() or procmgr_ability_create().
| Name/constant | Privileged? | Controls the process's ability to: | Subrange (optional) |
|---|---|---|---|
| able_create PROCMGR_AID_ABLE_CREATE |
Yes | Allocate permanent identifiers for additional named abilities; for more information, see procmgr_ability_create() and procmgr_ability_lookup() | — |
| able_priv PROCMGR_AID_ABLE_PRIV |
Yes | (QNX Neutrino 7.0.1 or later) Enable a currently denied privileged ability, add subranges to such an ability, or inherit such an ability | — |
| aps_root PROCMGR_AID_APS_ROOT |
Yes | Execute adaptive partitioning scheduler operations that usually require root permissions; for more information, see SchedCtl() | — |
| channel_connect PROCMGR_AID_CHANNEL_CONNECT |
Yes | Connect to channels belonging to other processes and that have a type ID other than 0. For more information, see Security Policies. | Allowable channel type IDs |
| child_newapp PROCMGR_AID_CHILD_NEWAPP |
Yes | Create a new application ID for a child process by setting POSIX_SPAWN_NEWAPP for posix_spawn() or posix_spawnp(), or SPAWN_NEWAPP for the spawn*() functions | — |
| chroot PROCMGR_AID_CHROOT |
Yes | Change the mroot directory by calling chroot(). | — |
| clockperiod PROCMGR_AID_CLOCKPERIOD |
Yes | Change the clock period, using ClockPeriod() | Allowable periods, in nanoseconds |
| clockset PROCMGR_AID_CLOCKSET |
Yes | Set the clock, using clock_settime(), settimeofday(), ClockAdjust(), or ClockTime() | Allowable times, in nanoseconds |
| confset PROCMGR_AID_CONFSET |
Yes | Set configuration strings, using confstr() | Allowable names (_CS_*) |
| connection PROCMGR_AID_CONNECTION |
Yes |
|
— |
| cpumode PROCMGR_AID_CPUMODE |
Yes | Change the CPU's power management mode | Allowable modes |
| default_timer_tolerance PROCMGR_AID_DEFAULT_TIMER_TOLERANCE |
Yes | Set the default timer tolerance for another process, using procmgr_timer_tolerance() | — |
| event PROCMGR_AID_EVENT |
Yes | Trigger privileged system-wide events, using procmgr_event_trigger() or procmgr_event_trigger_updateable() | Trigger bits |
| fork PROCMGR_AID_FORK |
No | Create a new process by calling fork() | — |
| getid PROCMGR_AID_GETID |
Yes | Get the group ID or session ID of a process outside the calling process's session, by using getpgid() or getsid(), respectively | — |
| high_resolution_timer PROCMGR_AID_HIGH_RESOLUTION_TIMER |
Yes | (QNX Neutrino 7.0.1 or later) Set the timer tolerance to a value between 0 and the clock period, by calling timer_settime(), timer_timeout(), TimerSettime(), or TimerTimeout() | — |
| interrupt PROCMGR_AID_INTERRUPT |
Yes | Attach interrupt handlers by calling InterruptAttach() or InterruptAttachArray(), or events by calling InterruptAttachEvent(). | Interrupt sources |
| interruptevent PROCMGR_AID_INTERRUPTEVENT |
Yes | (QNX Neutrino 7.0.1 or later) Attach interrupt events by calling InterruptAttachEvent(). | Interrupt sources |
| io PROCMGR_AID_IO |
Yes | Request I/O privileges by calling ThreadCtl() with the _NTO_TCTL_IO_LEVEL, _NTO_TCTL_IO, or _NTO_TCTL_IO_PRIV command. | (QNX Neutrino 7.0.1 or later) Level: 0 for _NTO_IO_LEVEL_1 or _NTO_TCTL_IO, or 1 for _NTO_IO_LEVEL_2 or _NTO_TCTL_IO_PRIV |
| keydata PROCMGR_AID_KEYDATA |
Yes | Pass data through a common client, by calling MsgKeyData(). In QNX Neutrino 7.1 or later, you don't need this ability if the operation is _NTO_KEYDATA_VERIFY. | — |
| mac_policy PROCMGR_AID_MAC_POLICY |
Yes | Change the security policy that procnto enforces; see secpolpush in the Utilities Reference | — |
| map_fixed PROCMGR_AID_MAP_FIXED |
No | Use mmap() with MAP_FIXED to map fixed addresses (including zero) | Allowable virtual addresses |
| mem_add PROCMGR_AID_MEM_ADD |
Yes | Add physical memory | Allowable physical addresses |
| mem_global PROCMGR_AID_MEM_GLOBAL |
Yes | Mark shared memory as being global across all processes, by calling shm_ctl() or shm_ctl_special(), specifying SHMCTL_GLOBAL | — |
| mem_lock PROCMGR_AID_MEM_LOCK |
Yes | Lock a range of process address space into physical memory, by calling mlock() or mlockall() | Allowable virtual addresses |
| mem_peer PROCMGR_AID_MEM_PEER |
Yes | Manipulate a peer process's memory | Peer user IDs |
| mem_phys PROCMGR_AID_MEM_PHYS |
Yes |
|
Allowable physical addresses |
| mem_special PROCMGR_AID_MEM_SPECIAL |
Yes | Call shm_ctl_special() | — |
| mountifs PROCMGR_AID_MOUNTIFS |
Yes | Controls the ability of a process to mount secondary image file systems. For more information, see the mount_ifs entry in the Utilities Reference. | — |
| pathspace PROCMGR_AID_PATHSPACE |
Yes | Add items to the procnto pathname prefix space, specifically to create symbolic links by calling pathmgr_symlink(), or to register names in the path space by calling resmgr_attach() | — |
| path_trust PROCMGR_AID_PATH_TRUST |
Yes | Indicate that a filesystem is trusted.
|
— |
| pgrp PROCMGR_AID_PGRP |
No | Set its process group ID, by calling setpgrp() or procmgr_session(). This ability is enabled by default (for POSIX conformance). You can disable it completely or restrict it to specific pid ranges. | Process IDs |
| power PROCMGR_AID_POWER |
Yes | Set power-management parameters | — |
| priority PROCMGR_AID_PRIORITY |
Yes |
The maximum unprivileged priority is usually 63, but is governed by the -P option to procnto. |
Allowable priorities |
| privreg PROCMGR_AID_PRIVREG |
Yes | (QNX Neutrino 7.0.4 or later) Use the DCMD_PROC_GETREGSET and DCMD_PROC_SETREGSET devctl() commands to get and set privileged registers in the range from REGSET_STARTPRIV and up. See “Controlling processes via the /proc filesystem” in the “Processes” chapter of the QNX Neutrino Programmer's Guide. | — |
| prot_exec PROCMGR_AID_PROT_EXEC |
No | Load code by calling dlopen() or map memory as executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_EXEC | Allowable virtual addresses |
| prot_write_and_exec PROCMGR_AID_PROT_WRITE_AND_EXEC |
No | Simultaneously map memory as writable and executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_WRITE | PROT_EXEC | Allowable virtual addresses |
| public_channel PROCMGR_AID_PUBLIC_CHANNEL |
No | Create a public channel by calling ChannelCreate() without setting _NTO_CHF_PRIVATE. Resource managers need this ability to create a public channel when they call dispatch_create_channel() or resmgr_attach(). Programs that aren't resource managers need it in order to create a public channel when they call name_attach(). You might also need this ability when you call message_attach(), pulse_attach(), or select_attach(). | — |
| qvm PROCMGR_AID_QVM |
Yes | Reserved for the hypervisor | — |
| rconstraint PROCMGR_AID_RCONSTRAINT |
No | Operate without any resource constraints. For more information, see “Resource constraint thresholds” in the “Processes” chapter of the QNX Neutrino Programmer's Guide. | — |
| reboot PROCMGR_AID_REBOOT |
Yes | Cause the system to reboot by calling sysmgr_reboot() | — |
| rlimit PROCMGR_AID_RLIMIT |
Yes | Use setrlimit() to raise hard limits on system resources | Limits (RLIMIT_*) that it can raise |
| rlimit_peer PROCMGR_AID_RLIMIT_PEER |
Yes | Change limits on system resources for other processes. | Allowable user IDs |
| rsrcdbmgr PROCMGR_AID_RSRCDBMGR |
Yes | Use the rsrcdbmgr*() functions to manipulate the resource database manager | — |
| runstate PROCMGR_AID_RUNSTATE |
Yes | Use sysmgr_runstate() and sysmgr_runstate_dynamic() to control a CPU's running state | Allowable CPU numbers |
| runstate_burst PROCMGR_AID_RUNSTATE_BURST |
No | Use sysmgr_runstate_burst() to tell the kernel to turn on any offlined CPUs because the system is about to get busy | The maximum length of time, in milliseconds, for which the process is allowed to set burst mode |
| sandbox PROCMGR_AID_SANDBOX |
Yes | Create and delete sandboxes, attach a process to a sandbox, and detach a process from a sandbox. | — |
| schedule PROCMGR_AID_SCHEDULE |
Yes | Use SchedCtl() with the SCHED_CONFIGURE command, SchedGet(), sched_getparam(), sched_getscheduler(), SchedSet(), sched_setparam(), or sched_setscheduler() to get or set the scheduling policy and parameters for a process whose user ID is different from the calling process's real or effective user ID | — |
| server_monitor PROCMGR_AID_SERVER_MONITOR |
Yes | Register with the process manager to be notified when servers don't respond to unblock requests promptly enough; see server-monitor in the Utilities Reference. | — |
| session PROCMGR_AID_SESSION |
Yes | Use procmgr_session() to change a character terminal's process group or to send a signal to a member of a session group | Allowable session IDs |
| setgid PROCMGR_AID_SETGID |
Yes | Set its real or effective group ID to values other than its real or effective group ID or its saved set-group ID, by calling setgid(), setegid(), setregid(), or change or delete its supplementary group IDs by calling setgroups() | Allowable group IDs |
| settypeid PROCMGR_AID_SETTYPEID |
Yes | Specify a type identifier in a call to posix_spawn() or to call secpol_transition_type(). This ability supports subranges that control which type identifiers a process is able to use. A process may not even spawn a process or set its type to its current type if it lacks the ability. For more information, see Security Policies. | Allowable type IDs |
| setuid PROCMGR_AID_SETUID |
Yes | Set its real or effective user ID to values other than its real or effective user ID or its saved set-user ID, by calling seteuid(), setuid(), or setreuid() | Allowable user IDs |
| sigev_thread PROCMGR_AID_SIGEV_THREAD |
No | (QNX Neutrino 7.0.4 or later) Use a SIGEV_THREAD sigevent. For a registered event, the ability check is done only when you call MsgRegisterEvent(). Other C library functions that are passed a sigevent as an argument do the ability check only for an unregistered SIGEV_THREAD event. These functions include InterruptAttachEvent(), MsgDeliverEvent(), procmgr_event_notify(), procmgr_event_notify_add(), procmgr_value_notify_add(), SyncCtl(), ThreadCtlExt(), TimerCreate(), and TimerTimeout(). | — |
| signal PROCMGR_AID_SIGNAL |
Yes |
|
Allowable signals |
| spawn PROCMGR_AID_SPAWN |
No | Spawn new processes by calling exec*(), spawn*, or posix_spawn() | — |
| spawn_setgid PROCMGR_AID_SPAWN_SETGID |
Yes | Set the group ID of the child process when using posix_spawn() | Allowable group IDs |
| spawn_setuid PROCMGR_AID_SPAWN_SETUID |
Yes | Set the user ID of the child process when using posix_spawn() | Allowable user IDs |
| srandom PROCMGR_AID_SRANDOM |
Yes | Use SysSrandom() to install a source of entropy for the kernel's pseudorandom number generator | — |
| swap PROCMGR_AID_SWAP |
Yes | Enable, disable, or configure the memory swapper | — |
| timer PROCMGR_AID_TIMER |
Yes | Get timer information for a process belonging to a different user and reset overruns by calling TimerInfo() | Timer IDs |
| trace PROCMGR_AID_TRACE |
Yes | Add handlers for trace events or allocate the instrumented kernel's trace buffers by calling TraceEvent() | — |
| umask PROCMGR_AID_UMASK |
Yes | Change the file-mode creation mask for a process with a different effective user ID | — |
| untrusted_exec PROCMGR_AID_UNTRUSTED_EXEC |
No | Execute files from an untrusted filesystem. For more information, see Pathtrust and the description of PROT_EXEC in the entry for mmap(). | — |
| wait PROCMGR_AID_WAIT |
Yes | Use wait(), wait3(), wait4(), waitid(), or waitpid() to wait for the status of a terminated child process whose real or saved user ID is different from the calling process's real or effective user ID | Child process IDs |
| xprocess_able PROCMGR_AID_XPROCESS_ABLE |
Yes | (QNX Neutrino 7.0.1 or later) Change the abilities of another process. | — |
| xprocess_debug PROCMGR_AID_XPROCESS_DEBUG |
Yes |
|
User IDs that can be accessed |
| xprocess_mem_read PROCMGR_AID_XPROCESS_MEM_READ |
Yes | (QNX Neutrino 7.0.1 or later) Open for reading the /proc/pid/as file of another process that's running as a different user ID than the requesting process. This ability is required to create core files, for full pidin functionality, and for debugging another process. | User IDs that can be accessed |
| xprocess_query PROCMGR_AID_XPROCESS_QUERY |
Yes |
|
Allowable user IDs |
| xthread_threadctl PROCMGR_AID_XTHREAD_THREADCTL |
No | Use ThreadCtlExt() or ThreadCtlExt_r() to control a thread other than the calling thread. By default, all processes have this ability for all commands (that is, by default a thread is allowed to invoke a ThreadCtlExt() command on a different thread in the same process). | _NTO_TCTL_* commands |
The currently defined custom abilites are listed below. For more details about creating and using custom abilities, see procmgr_ability_lookup() and procmgr_ability_create().
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| fsevmgr/qnxext | INOTIFY_ABILITY_QNX_EXT | Check for processes that want to listen to any of the QNX extended inotify events. |
| fsevmgr/recurse | INOTIFY_ABILITY_RECURSE | Reserved for future use. |
For more information, see inotify_qnx_ext().
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| ioaudio/capturerestricted | IOAUDIO_ABILITY_RESTRICTED_CAPTURE | Restrict applications from capturing audio data. To apply this restriction, set the driver option to capture. |
| ioaudio/playbackrestricted | IOAUDIO_ABILITY_RESTRICTED_PLAYBACK | Restrict applications from playing audio data. To apply this restriction, set the driver option to playback. |
For more information, see io-audio in the Utilities Reference.
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| iofunc/chown | IOFUNC_ABILITY_CHOWN | Change the ownership of a file to a different UID or to change the GID of a file to a GID that the process does not belong to. |
| iofunc/dup | IOFUNC_ABILITY_DUP | Obtain a duplicate of any process's file descriptor. |
| iofunc/exec | IOFUNC_ABILITY_EXEC | Access files or directories within directories for which POSIX permissions and ACLs would prohibit access. Also allows the ability to execute files the process does not have execute permission for. |
| iofunc/read | IOFUNC_ABILITY_READ | Open a file for read where POSIX permissions and ACLs would prohibit access. |
A process should usually not be given the permissions granted by these abilities.
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| io-gpio/all | — | ** |
| Name | Constant | Used by io-sock to: |
|---|---|---|
| network/privport | QNX_PRIV_PRIVPORT | Bind a privileged port (low port number). |
| network/rawsocket | QNX_PRIV_RAW | Control who can open a raw socket that uses Internet protocol family definitions provided by netinet/in.h. Required by utilities such as ping. |
| network/reuseport | QNX_PRIV_REUSEPORT | Control who can connect to a socket on the same port as another connection created by another user and to which the IP_BINDMULTI or SO_REUSEPORT socket options are applied. |
| network/ipsec | QNX_PRIV_IPSEC | Control who can administer IPsec. |
| network/admin | QNX_PRIV_ADMIN | Control the abilities that are not provided by another ability, but that a networking component generally requires (e.g., create and bring up interfaces, set the socket manager state via sysctl). Required by utilities such as dhclient. |
For more information, see “Privilege Control” in the High-Performance Networking Stack User's Guide.
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| smmu/attach | SMMU_ABILITY_ATTACH_NAME | Connect to the SMMUMAN service |
| smmu/target | SMMU_ABILITY_TARGET_NAME | Use the SMF_TARGET flag with the smmu_mapping_add() function |
For more information, see the SMMUMAN User's Guide.
| Name | Constant | Controls the process's ability to: |
|---|---|---|
| vfs/fs-control | BLK_ABILITY_FSCTL | Use the DCMD_FSYS_CTL argument. (For internal use only) |
| vfs/hook-control | BLK_ABILITY_HOOKCTL | Use the DCMD_FSYS_HOOK_CTL devctl() function. |
| vfs/mount-blk | BLK_ABILITY_MOUNTVFS | Use mount and umount. |
| vfs/pregrow | BLK_ABILITY_PREGROW | Use the DCMD_FSYS_PREGROW_FILE argument. |
| vfs/relearn | BLK_ABILITY_RELEARN | Use the DCMD_BLK_FORCE_RELEARN and DCMD_FSYS_FORCE_RELEARN arguments. |
| vfs/stats-clear | BLK_ABILITY_STATSCLEAR | Use the DCMD_FSYS_STATISTICS and DCMD_FSYS_STATISTICS_CLR arguments. |
For more information, see Devctl and Ioctl Commands and the Utilities Reference.