Procmgr abilities

QNX SDP8.0Programmer's GuideDeveloper

The QNX OS supports procmgr abilities, process-manager settings that govern which operations a particular process is permitted to do.

A privileged process can obtain these abilities before dropping root privileges, which lets it retain some functionality that historically would have been restricted to root. Furthermore, procmgr abilities can be locked, meaning that even root users can't carry out certain actions that they might historically have been able to. This change significantly reduces the attack surface of the system, even when dealing with a root process.

We recommend that you use the procmgr ability model wherever possible, retaining specific abilities, and dropping and locking whatever isn't explicitly required. Once you've used the retained abilities, you should drop and lock them if they're no longer necessary. A number of simple examples of ability retention and locking are included in the following sections.

You can adjust procmgr abilities by calling procmgr_ability(). This function is typically used by services that start as root and need to retain certain capabilities before dropping privileges.

The procmgr_ability() function takes as its first argument a process ID, or 0 to indicate the calling process. It's followed by a variable number of arguments, each of which consists of a set of flags that indicate:
  • an ability
  • the domain (root or non-root)
  • whether or not the ability should be allowed, denied, inheritable, and so on
  • whether or not additional arguments are required (e.g., the PROCMGR_AOP_SUBRANGE flag calls for a range to be associated with the ability)

The list of abilities must be terminated by an argument that includes the PROCMGR_AID_EOL flag.

Page updated: