Privilege Control

QNX SDP8.0High-Performance Networking Stack (io-sock) User's GuideAPIArchitecture

Like other components that run on QNX OS, the privileged operations required by io-sock and networking components are protected by process manager abilities. These abilities are configured either directly by the components themselves, or, preferably, via security policies that are defined by the system integrator.

For a list of these abilities, see Abilities in the Privilege control section of the System Security Guide.

For an overview of process manager abilities, see:

Process privileges in the Processes chapter of the QNX OS Programmer's Guide
The entries for procmgr_ability() and iofunc_ability_check() in the C Library Reference.

After io-sock is up and running, you can use a sysctl command to have io-sock drop the extra privileges it needed during startup and have it run with a reduced set of privileges for normal operation.

Dropping privileges for systems with a security policy

For systems that use security policies, you should run io-sock as a non-root user and then, after it has fully started, set qnx.sec.transition. The io-sock manager continues to run with the same uid it was started with, but switches to a different security type, most likely one with fewer privileges. For example:

sysctl qnx.sec.transition=1

The sysctl design requires you to pass in a non-zero value; passing in 1 is recommended because future releases could assign specific meanings to other parameter values.

Dropping privileges for systems without a security policy

If your system does not use security policies, you should run io-sock as root and then use qnx.sec.droproot to have it switch to the specified user. For example:

sysctl qnx.sec.droproot=value

where value specifies a user, one or more groups, or both, using one of the following formats:

uid[:gid[,sup_gid]*]
user_name[,sup_gid]*

The default is 99:99,120. In the second format, the primary group is the one specified for user_name in /etc/passwd.

You can also use sysctl variables to selectively drop the abilities that io-sock retains after setting qnx.sec.droproot. For information, see the sysctl entry in the QNX OS Utilities Reference.

For systems that don't use security policies, you cannot use qnx.sec.droproot to specify additional abilities to retain if your networking driver needs them. Instead, you can specify any extra abilities when you start io-sock. For example:

on -A nonroot,allow,interrupt io-sock -d em

For more information, see the entry for on in the Utility Reference.

Abilities for networking operations

The io-sock networking stack provides a set of custom abilities that control a client's ability to perform various networking operations. For more information, see Custom abilities in the Abilities section of the System Security Guide.

Controlling access to packet filtering

Access to packet filtering (PF) and Berkeley Packet Filter (BPF) is controlled via filesystem ACLs on the /dev/pf and /dev/bpf devices. For more information, see Access Control Lists (ACLs) in the QNX OS User's Guide.

Page updated: May 17, 2024