Ability domains

The process manager supports PROCMGR_ADN_ROOT and PROCMGR_ADN_NONROOT flags that indicate which domain an ability applies to.

These flags let a process further limit what actions can be carried out whether or not it's running as root:

Modify the ability of the process when it isn't running with a non-root effective user ID.
Modify the ability of the process when it's running as root.

The following example shows how you can retain a specific ability for your process, before dropping root privileges. In the following example, the PROCMGR_AID_PATHSPACE ability is being allowed for non-root users:

procmgr_ability( 0, PROCMGR_ADN_NONROOT
                      | PROCMGR_AOP_ALLOW
                      | PROCMGR_AID_PATHSPACE,
setreuid(new_user, new_user);
setregid(new_group, new_group);