DCMD_PROC_ABILITIES
Return all the abilities and ability ranges of a specified process
#include <sys/procfs.h>
#define DCMD_PROC_ABILITIES __DIOF(_DCMD_PROC, __PROC_SUBCMD_PROCFS + 35, procfs_abilities)
The arguments to devctl() are:
Argument | Value |
---|---|
filedes | A file descriptor for the process. |
dcmd | DCMD_PROC_ABILITIES |
dev_data_ptr | A pointer to a procfs_abilities structure |
n_bytes | PROCFS_ABLE_TOTAL_SIZE(n, r) |
dev_info_ptr | NULL |
The argument to this command is a procfs_abilities structure that returns all of the abilities and ability ranges of the specified process. For example:
procfs_abilities my_abilities;
devctl(fd, DCMD_PROC_ABILITIES, &my_abilities, PROCFS_ABLE_TOTAL_SIZE(n, r), NULL)
The minimum size of the buffer depends on the number of abilities (n) and the number of ability ranges (r). As these values are likely not known, a conservative estimate is 150 abilities and 50 ability ranges. If the size is too small, the function will fail with an errno of ENOSPC and the n_bytesfield of the structure will have been updated with the required size.
See Abilities
in the System Security Guide
for the table detailing the abilities and their names.
The return data consists of the following items: a fixed header, an array containing ability information, and an array containing ability range information.
- nbytes
- The total size of the return data. If the function fails with an error of ENOSPC, this contains the total required size.
- snables
- The number of static abilities in the ability information array. The ability IDs from 0 to (snables - 1) are static abilities. The DEFINE_ABILITIES macro defined in sys/procmgr.h may be used to define a mapping between the static ability IDs and the associated ability names.
- dnables
- The number of custom (dynamic) abilities in the ability information array. The function procmgr_ability_name() may be used to translate the ability IDs from snables to (snables + dnables - 1) to the associated ability names.
- nranges
- The number of ranges in the ability range information array.
- eol_flags
- A set of flags that defines the configurations of the process for any ability that might be defined in the future.
- PROCFS_ABLE_ALLOW_ROOT
- PROCFS_ABLE_ALLOW_NONROOT
- The ability is granted to root or non-root.
- PROCFS_ABLE_DEFAULT_ROOT
- PROCFS_ABLE_DEFAULT_NONROOT
- Applicable only for custom abilities that haven't yet been created (i.e., procmgr_ability_create() hasn't been called).
- PROCFS_ABLE_LOCK
- The ability is locked.
- PROCFS_ABLE_INHERIT
- The ability is inherited after a call from exec*(), posix_spawn*(), or spawn*().
- PROCFS_ABLE_SUBRANGE
- The array of ranges includes one or more ranges for this ability.
- PROCFS_ABLE_UNCREATED
- The ability hasn't yet been created (i.e., procmgr_ability_create() hasn't been called).
- lo
- The lower bound of the range.
- hi
- The upper bound of the range.
- id
- The ability ID this range pertains to.
- able
- A set of two possible flags, PROCFS_ABLE_ALLOW_ROOT and PROCFS_ABLE_ALLOW_NONROOT, which indicates that the range has been granted to root or non-root, respectively.