Abilities

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

Ability ranges

Below is a list of all static and custom (dynamic) abilities defined by QNX. Ideally, abilities are set via a security policy as described in Using Security Policies though they may also be set directly via calls to procmgr_ability().

Some abilities may have one or more subranges associated with that ability that further refine how the ability is granted:

  • If the ability is allowed and there are no subranges, then the ability is granted unconditionally.
  • If the ability is denied, then the subranges are ignored.
  • If you specify a subrange for an allowed ability, it is only allowed for a request that matches the subrange.
  • For access checks that span a range, the entire range must be covered by a single subrange. For example, the PROCMGR_AID_MEM_PHYS ability with the enabled subranges 100–200 and 190–300 does not allow a request for the subrange 150–250.
  • If the ability is not inherited, then the subranges are discarded when the process spawns or execs.
Note:
The secpolcompile utility merges any contiguous or overlapping subranges into a single subrange.

Ability names

Every ability has a name which is used in security policies and in the output of tools such as pidin and secpolgenerate. When used programmatically with functions such as procmgr_ability() and ConnectClientInfoAble(), the equivalent numeric ID must be used instead.

For static abilities, each ability has a symbolic constant whose name is formed by adding PROCMGR_AID_ to the ability name in uppercase. For example, to specify the able_create ability, you would used PROCMGR_AID_ABLE_CREATE.

For custom abilities, the numeric ID is looked up by passing the ability name to either of the functions procmgr_ability_lookup() or procmgr_ability_create().

Static abilities

The table below describes the name portion for each static ability, indicates whether the operation is normally privileged (e.g., rebooting the system) or not (e.g., spawning and forking), and describes the subrange if applicable.
Name/constant Privileged? Controls the process's ability to: Subrange (optional)
able_create

PROCMGR_AID_ABLE_CREATE

Yes Allocate permanent identifiers for additional named abilities; for more information, see procmgr_ability_create() and procmgr_ability_lookup()
able_priv

PROCMGR_AID_ABLE_PRIV

Yes Enable a currently denied privileged ability, add subranges to such an ability, or inherit such an ability
channel_connect

PROCMGR_AID_CHANNEL_CONNECT

Yes Connect to channels belonging to other processes and that have a type ID other than 0. For more information, see Security Policies. Allowable channel type IDs
child_newapp

PROCMGR_AID_CHILD_NEWAPP

Yes Create a new application ID for a child process by setting POSIX_SPAWN_NEWAPP for posix_spawn() or posix_spawnp(), or SPAWN_NEWAPP for the spawn*() functions
chroot

PROCMGR_AID_CHROOT

Yes Change the process's root directory by calling chroot().
clockset

PROCMGR_AID_CLOCKSET

Yes Set the clock, using clock_settime(), settimeofday(), ClockAdjust(), or ClockTime() Allowable times, in nanoseconds
confset

PROCMGR_AID_CONFSET

Yes Set configuration strings, using confstr() Allowable names (_CS_*)
connection

PROCMGR_AID_CONNECTION

Yes
  • Use MsgSendPulse() to send a pulse to a channel owned by a different process with a different user ID
  • Use a SIGEV_PULSE event to deliver a pulse to a channel in a different process with a different user ID from the process that owns the coid in the pulse event (e.g., with a timer or InterruptAttachEvent())
cpumode

PROCMGR_AID_CPUMODE

Yes Change the CPU's power management mode Allowable modes
default_timer_tolerance

PROCMGR_AID_DEFAULT_TIMER_TOLERANCE

Yes Set the default timer tolerance for another process, using procmgr_timer_tolerance()
event

PROCMGR_AID_EVENT

Yes Trigger privileged system-wide events, using procmgr_event_trigger() or procmgr_event_trigger_updateable() Trigger bits
fork

PROCMGR_AID_FORK

No Create a new process by calling fork()
getid

PROCMGR_AID_GETID

Yes Get the group ID or session ID of a process outside the calling process's session, by using getpgid() or getsid(), respectively
high_resolution_timer

PROCMGR_AID_HIGH_RESOLUTION_TIMER

Yes Set the timer tolerance to a value between 0 and the clock period, by calling timer_settime(), timer_timeout(), TimerSettime(), or TimerTimeout()
interrupt

PROCMGR_AID_INTERRUPT

Yes Attach to an interrupt by calling InterruptAttachEvent() or InterruptAttachThread(). Interrupt sources
io

PROCMGR_AID_IO

Yes Request I/O privileges by calling ThreadCtl() with the _NTO_TCTL_IO_LEVEL, _NTO_TCTL_IO, or _NTO_TCTL_IO_PRIV command. Level: 0 for _NTO_IO_LEVEL_1 or _NTO_TCTL_IO, or 1 for _NTO_IO_LEVEL_2 or _NTO_TCTL_IO_PRIV
mac_policy

PROCMGR_AID_MAC_POLICY

Yes Change the security policy that procnto enforces; see secpolpush in the Utilities Reference
map_fixed

PROCMGR_AID_MAP_FIXED

No Use mmap() with MAP_FIXED to map fixed addresses (including zero) Allowable virtual addresses
mem_add

PROCMGR_AID_MEM_ADD

Yes Add physical memory Allowable physical addresses
mem_lock

PROCMGR_AID_MEM_LOCK

Yes Lock a range of process address space into physical memory, by calling mlock() or mlockall() Allowable virtual addresses
mem_peer

PROCMGR_AID_MEM_PEER

Yes Manipulate a peer process's memory Peer user IDs
mem_phys

PROCMGR_AID_MEM_PHYS

Yes Allowable physical addresses
mem_special

PROCMGR_AID_MEM_SPECIAL

Yes Call shm_ctl_special()
mountifs

PROCMGR_AID_MOUNTIFS

Yes Controls the ability of a process to mount secondary image file systems. For more information, see the mount_ifs entry in the Utilities Reference.
msg_queue

PROCMGR_AID_MSG_QUEUE

Yes Create kernel message queues.
pathspace

PROCMGR_AID_PATHSPACE

Yes Add items to the procnto pathname prefix space, specifically to create symbolic links by calling pathmgr_symlink(), or to register names in the path space by calling resmgr_attach()
path_trust

PROCMGR_AID_PATH_TRUST

Yes Indicate that a filesystem is trusted.
  • For a resource manager, indicate that one or more filesystems that it provides are trusted.
  • For a process that requests another resource manager mount a filesystem, request that the filesystem be mounted as trusted.
For more information, see Pathtrust and the description of PROT_EXEC in the entry for mmap().
pgrp

PROCMGR_AID_PGRP

No Set its process group ID, by calling setpgrp() or procmgr_session(). This ability is enabled by default (for POSIX conformance). Process IDs
power

PROCMGR_AID_POWER

Yes Set power-management parameters
priority

PROCMGR_AID_PRIORITY

Yes

The maximum unprivileged priority is usually 63, but is governed by the -P option to procnto.

Allowable priorities
privreg

PROCMGR_AID_PRIVREG

Yes Use the DCMD_PROC_GETREGSET and DCMD_PROC_SETREGSET devctl() commands to get and set privileged registers in the range from REGSET_STARTPRIV and up. See Controlling processes via the /proc filesystem in the Processes chapter of the QNX OS Programmer's Guide.
prot_exec

PROCMGR_AID_PROT_EXEC

No Load code by calling dlopen() or map memory as executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_EXEC Allowable virtual addresses
prot_write_and_exec

PROCMGR_AID_PROT_WRITE_AND_EXEC

No Simultaneously map memory as writable and executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_WRITE | PROT_EXEC Allowable virtual addresses
public_channel

PROCMGR_AID_PUBLIC_CHANNEL

No Create a public channel by calling ChannelCreate() without setting _NTO_CHF_PRIVATE. Resource managers need this ability to create a public channel when they call dispatch_create_channel() or dispatch_create(). Programs that aren't resource managers need it to create a public channel when they call name_attach().
qvm

PROCMGR_AID_QVM

Yes Reserved for the hypervisor
rconstraint

PROCMGR_AID_RCONSTRAINT

No Operate without any resource constraints. For more information, see Resource constraint thresholds in the Processes chapter of the QNX OS Programmer's Guide.
reboot

PROCMGR_AID_REBOOT

Yes Cause the system to reboot by calling sysmgr_reboot()
rlimit

PROCMGR_AID_RLIMIT

Yes Use setrlimit() to raise hard limits on system resources Limits (RLIMIT_*) that it can raise
rlimit_peer

PROCMGR_AID_RLIMIT_PEER

Yes Change limits on system resources for other processes. Allowable user IDs
rsrcdbmgr

PROCMGR_AID_RSRCDBMGR

Yes Use the rsrcdbmgr*() functions to manipulate the resource database manager
sandbox

PROCMGR_AID_SANDBOX

Yes Not used.
schedule

PROCMGR_AID_SCHEDULE

Yes Use SchedCtl() with the SCHED_CONFIGURE command, SchedGet(), sched_getparam(), sched_getscheduler(), SchedSet(), sched_setparam(), or sched_setscheduler() to get or set the scheduling policy and parameters for a process whose user ID is different from the calling process's real or effective user ID
server_monitor

PROCMGR_AID_SERVER_MONITOR

Yes Register with the process manager to be notified when servers don't respond to unblock requests promptly enough; see server-monitor in the Utilities Reference.
session

PROCMGR_AID_SESSION

Yes Use procmgr_session() to change a character terminal's process group or to send a signal to a member of a session group Allowable session IDs
setgid

PROCMGR_AID_SETGID

Yes Set its real or effective group ID to values other than its real or effective group ID or its saved set-group ID, by calling setgid(), setegid(), setregid(), or change or delete its supplementary group IDs by calling setgroups() Allowable group IDs
settypeid

PROCMGR_AID_SETTYPEID

Yes Specify a type identifier in a call to posix_spawn() or to call secpol_transition_type(). This ability supports subranges that control which type identifiers a process is able to use. A process may not even spawn a process or set its type to its current type if it lacks the ability. For more information, see Security Policies. Allowable type IDs
setuid

PROCMGR_AID_SETUID

Yes Set its real or effective user ID to values other than its real or effective user ID or its saved set-user ID, by calling seteuid(), setuid(), or setreuid() Allowable user IDs
sigev_thread

PROCMGR_AID_SIGEV_THREAD

No Use a SIGEV_THREAD sigevent. For a registered event, the ability check is done only when you call MsgRegisterEvent(). Other C library functions that are passed a sigevent as an argument do the ability check only for an unregistered SIGEV_THREAD event. These functions include InterruptAttachEvent(), MsgDeliverEvent(), procmgr_event_notify(), procmgr_event_notify_add(), procmgr_value_notify_add(), SyncCtl(), ThreadCtlExt(), TimerCreate(), and TimerTimeout().
signal

PROCMGR_AID_SIGNAL

Yes
  • Send signals to a process with a different real or effective user ID by calling kill(), sigqueue(), SignalKill(), or SignalKillSigval()
  • Use ThreadCtlExt() with the _NTO_TCTL_ONE_THREAD_CONT, _NTO_TCTL_ONE_THREAD_HOLD, _NTO_TCTL_THREADS_CONT, or _NTO_TCTL_THREADS_HOLD command to hold or unfreeze a thread in a different process. The _NTO_TCTL_*_CONT commands need to use SIGCONT; the _NTO_TCTL_*_HOLD commands need to use SIGSTOP.
Allowable signals
spawn

PROCMGR_AID_SPAWN

No Spawn new processes by calling exec*(), spawn*, or posix_spawn()
spawn_setgid

PROCMGR_AID_SPAWN_SETGID

Yes Set the group ID of the child process when using posix_spawn() Allowable group IDs
spawn_setuid

PROCMGR_AID_SPAWN_SETUID

Yes Set the user ID of the child process when using posix_spawn() Allowable user IDs
srandom

PROCMGR_AID_SRANDOM

Yes Use SysSrandom() to query the kernel for entropy
swap

PROCMGR_AID_SWAP

Yes Enable, disable, or configure the memory swapper
trace

PROCMGR_AID_TRACE

Yes Control or configure the kernel tracing subsystem.
umask

PROCMGR_AID_UMASK

Yes Change the file-mode creation mask for a process with a different effective user ID
untrusted_exec

PROCMGR_AID_UNTRUSTED_EXEC

No Execute files from an untrusted filesystem. For more information, see Pathtrust and the description of PROT_EXEC in the entry for mmap().
wait

PROCMGR_AID_WAIT

Yes Use wait(), wait3(), wait4(), waitid(), or waitpid() to wait for the status of a terminated child process whose real or saved user ID is different from the calling process's real or effective user ID Child process IDs
xprocess_able

PROCMGR_AID_XPROCESS_ABLE

Yes Change the abilities of another process.
xprocess_debug

PROCMGR_AID_XPROCESS_DEBUG

Yes
  • Open for writing the /proc/pid/as or /proc/pid/ctl files of another process that's running as a different user ID than the requesting process. Doing this is required to debug a process.
  • Use ThreadCtlExt() with the _NTO_TCTL_RUNMASK, _NTO_TCTL_RUNMASK_GET_AND_SET, or _NTO_TCTL_RUNMASK_GET_AND_SET_INHERIT command to get or set the runmask of a thread in a different process.
User IDs that can be accessed
xprocess_mem_read

PROCMGR_AID_XPROCESS_MEM_READ

Yes Open for reading the /proc/pid/as file of another process that's running as a different user ID than the requesting process. This ability is required to create core files, for full pidin functionality, and for debugging another process. User IDs that can be accessed
xprocess_query

PROCMGR_AID_XPROCESS_QUERY

Yes
  • Use clock_gettime(), ClockTime(), ConnectFlags(), or TimerInfo() to request information about another process.
  • Open for reading the /proc/pid/* files (except for the as file) of another process that's running as a different user ID than the requesting process.
  • Use ThreadCtlExt() with the _NTO_TCTL_NAME command to get the name of a thread in a different process.
Allowable user IDs

Custom abilities

The currently defined custom abilites are listed below. For more details about creating and using custom abilities, see procmgr_ability_lookup() and procmgr_ability_create().

  • The filesystem event manager (fsevmgr) uses the following:
    Name Constant Controls the process's ability to:
    fsevmgr/qnxext INOTIFY_ABILITY_QNX_EXT Check for processes that want to listen to any of the QNX extended inotify events.
    fsevmgr/recurse INOTIFY_ABILITY_RECURSE Reserved for future use.

    For more information, see inotify_qnx_ext().

  • The resource manager library creates the following:
    Name Constant Controls the process's ability to:
    iofunc/chown IOFUNC_ABILITY_CHOWN Change the ownership of a file to a different UID or to change the GID of a file to a GID that the process does not belong to.
    iofunc/dup IOFUNC_ABILITY_DUP Obtain a duplicate of any process's file descriptor.
    iofunc/exec IOFUNC_ABILITY_EXEC Access files or directories within directories for which POSIX permissions and ACLs would prohibit access. Also allows the ability to execute files the process does not have execute permission for.
    iofunc/read IOFUNC_ABILITY_READ Open a file for read where POSIX permissions and ACLs would prohibit access.

    A process should usually not be given the permissions granted by these abilities.

  • The General Purpose Input/Output (GPIO) system uses the following:
    Name Constant Controls the process's ability to:
    io-gpio/all **

  • The io-sock networking manager uses the following:
    Name Used by io-sock to:
    network/privport Bind a privileged port (low port number).
    network/rawsocket Control who can open a raw socket that uses Internet protocol family definitions provided by netinet/in.h. Required by utilities such as ping.
    network/reuseport Control who can connect to a socket on the same port as another connection created by another user and to which the IP_BINDMULTI or SO_REUSEPORT socket options are applied.
    network/ipsec Control who can administer IPsec.
    network/admin Control the abilities that are not provided by another ability, but that a networking component generally requires (e.g., create and bring up interfaces, set the socket manager state via sysctl). Required by utilities such as dhclient.

    For more information, see Privilege Control in the High-Performance Networking Stack User's Guide.

  • The smmuman service uses the following:
    Name Constant Controls the process's ability to:
    smmu/attach SMMU_ABILITY_ATTACH_NAME Connect to the SMMUMAN service
    smmu/target SMMU_ABILITY_TARGET_NAME Use the SMF_TARGET flag with the smmu_mapping_add() function

    For more information, see the SMMUMAN User's Guide.

  • The block I/O system uses most of the following abilities to govern the use of some devctl() commands:
    Name Constant Controls the process's ability to:
    vfs/fs-control BLK_ABILITY_FSCTL Use the DCMD_FSYS_CTL argument. (For internal use only)
    vfs/mount-blk BLK_ABILITY_MOUNTVFS Use mount and umount.
    vfs/pregrow BLK_ABILITY_PREGROW Use the DCMD_FSYS_PREGROW_FILE argument.
    vfs/relearn BLK_ABILITY_RELEARN Use the DCMD_BLK_FORCE_RELEARN and DCMD_FSYS_FORCE_RELEARN arguments.
    vfs/stats-clear BLK_ABILITY_STATSCLEAR Use the DCMD_FSYS_STATISTICS and DCMD_FSYS_STATISTICS_CLR arguments.

    For more information, see Devctl and Ioctl Commands and the Utilities Reference.

Page updated: