Return all the abilities and ability ranges of a specified process
#include <sys/procfs.h>
#define DCMD_PROC_ABILITIES __DIOF(_DCMD_PROC, __PROC_SUBCMD_PROCFS + 35, procfs_abilities)
The arguments to devctl() are:
| Argument |
Value |
| filedes |
A file descriptor for the process. |
| dcmd |
DCMD_PROC_ABILITIES |
| dev_data_ptr |
A pointer to a procfs_abilities structure |
| n_bytes |
PROCFS_ABLE_TOTAL_SIZE(n, r) |
| dev_info_ptr |
NULL |
The argument to this command is a procfs_abilities
structure that returns all of the abilities and ability ranges of
the specified process. For example:
procfs_abilities my_abilities;
devctl(fd, DCMD_PROC_ABILITIES, &my_abilities, PROCFS_ABLE_TOTAL_SIZE(n, r), NULL)
The minimum size of the buffer depends on the number of abilities
(n) and the number of ability ranges (r).
As these values are likely not known, a conservative
estimate is 150 abilities and 50 ability ranges.
If the size is too small, the function will fail with an
errno
of ENOSPC and the n_bytesfield
of the structure will have been updated with the required size.
See “Abilities” in the System Security Guide
for the table detailing the abilities and their names.
The return data consists of the following items: a fixed header, an array
containing ability information, and an array containing ability range information.
The fixed header is of type
procfs_abilities with the following members:
- nbytes
-
The total size of the return data. If the function fails with an error
of ENOSPC, this contains the total required size.
- snables
-
The number of static abilities in the ability information array.
The ability IDs from 0 to (snables - 1) are static abilities.
The DEFINE_ABILITIES macro defined in
sys/procmgr.h may be used to define a mapping
between the static ability IDs and the associated ability names.
- dnables
-
The number of custom (dynamic) abilities in the ability information array.
The function procmgr_ability_name() may be used to translate
the ability IDs from snables to (snables
+ dnables - 1) to the associated ability names.
- nranges
- The number of ranges in the ability range information array.
- eol_flags
-
A set of flags that defines the configurations of the process
for any ability that might be defined in the future.
The ability information array provides the configurations of each ability of the process.
The number of array elements is the sum of
snables +
dnables.
Each element is of type
uint16_t and is indexed by ability ID.
The
eol_flags member of the
procfs_abilities header
above and each element of the ability array is comprised of the following flags:
- PROCFS_ABLE_ALLOW_ROOT
- PROCFS_ABLE_ALLOW_NONROOT
- The ability is granted to root or non-root.
- PROCFS_ABLE_DEFAULT_ROOT
- PROCFS_ABLE_DEFAULT_NONROOT
-
Applicable only for custom abilities that haven't yet been created (i.e.,
procmgr_ability_create() hasn't been called).
-
The process will be granted the ability for root or non-root based on the default
privileges granted when procmgr_ability_create() is called for the ability.
- PROCFS_ABLE_LOCK
- The ability is locked.
- PROCFS_ABLE_INHERIT
-
The ability is inherited after a call from exec*(), posix_spawn*(), or spawn*().
- PROCFS_ABLE_SUBRANGE
- The array of ranges includes one or more ranges for this ability.
- PROCFS_ABLE_UNCREATED
-
The ability hasn't yet been created (i.e., procmgr_ability_create() hasn't been called).
The ability range information array provides the list of ability ranges of the process.
The number of array elements is equal to
nranges.
Each element is of type
procfs_ability_range with the following members:
- lo
- The lower bound of the range.
- hi
- The upper bound of the range.
- id
- The ability ID this range pertains to.
- able
-
A set of two possible flags, PROCFS_ABLE_ALLOW_ROOT
and PROCFS_ABLE_ALLOW_NONROOT, which indicates that
the range has been granted to root or non-root, respectively.