Inheritance of a locked and allowed procmgr ability is almost always a vulnerability, unless that ability has been allowed in a more restricted fashion than it would normally be allowed on the system.
The following code is an insecure example of locking and an inheriting an allowed procmgr ability, due to the combination of PROCMGR_AOP_ALLOW, PROCMGR_AOP_LOCK, and PROCMGR_AOP_INHERIT_YES:
procmgr_ability(0,
PROCMGR_ADN_NONROOT // Non-root domain
| PROCMGR_AOP_ALLOW // Allow the ability
| PROCMGR_AOP_LOCK // Lock the ability
| PROCMGR_AOP_INHERIT_YES // Inheritance
| PROCMGR_AID_SPAWN_SETUID, // Specified ability
PROCMGR_AID_EOL // End of ability list.
);
The following code is secure and encouraged because the child will inherit the denied setting for the ability and never be able to unlock it, due to the combination of PROCMGR_AOP_DENY, PROCMGR_AOP_LOCK, and PROCMGR_AOP_INHERIT_YES:
procmgr_ability(0,
PROCMGR_ADN_NONROOT // Non-root domain
| PROCMGR_AOP_DENY // Deny the ability
| PROCMGR_AOP_LOCK // Lock the ability
| PROCMGR_AOP_INHERIT_YES // Inheritance
| PROCMGR_AID_SPAWN_SETUID, // Specified ability
PROCMGR_AID_EOL // End of ability list.
);
You can use code like this to limit procmgr abilities that are normally allowed in the PROCMGR_ADN_NONROOT domain.