Abilities
Ability ranges
Below is a list of all static and custom (dynamic) abilities defined by QNX. Ideally, abilities are set via a security policy as described inUsing Security Policiesthough they may also be set directly via calls to procmgr_ability().
Some abilities may have one or more subranges associated with that ability that further refine how the ability is granted:
- If the ability is allowed and there are no subranges, then the ability is granted unconditionally.
- If the ability is denied, then the subranges are ignored.
- If you specify a subrange for an allowed ability, it is only allowed for a request that matches the subrange.
- For access checks that span a range, the entire range must be covered by a single subrange. For example, the PROCMGR_AID_MEM_PHYS ability with the enabled subranges 100–200 and 190–300 does not allow a request for the subrange 150–250.
- If the ability is not inherited, then the subranges are discarded when the process spawns or execs.
Ability names
Every ability has a name which is used in security policies and in the output of tools such as pidin and secpolgenerate. When used programmatically with functions such as procmgr_ability() and ConnectClientInfoAble(), the equivalent numeric ID must be used instead.
For static abilities, each ability has a symbolic constant whose name is formed by adding PROCMGR_AID_ to the ability name in uppercase. For example, to specify the able_create ability, you would used PROCMGR_AID_ABLE_CREATE.
For custom abilities, the numeric ID is looked up by passing the ability name to either of the functions procmgr_ability_lookup() or procmgr_ability_create().
Static abilities
The table below describes the name portion for each static ability, indicates whether the operation is normally privileged (e.g., rebooting the system) or not (e.g., spawning and forking), and describes the subrange if applicable.Name/constant | Privileged? | Controls the process's ability to: | Subrange (optional) |
---|---|---|---|
able_create PROCMGR_AID_ABLE_CREATE |
Yes | Allocate permanent identifiers for additional named abilities; for more information, see procmgr_ability_create() and procmgr_ability_lookup() | — |
able_priv PROCMGR_AID_ABLE_PRIV |
Yes | Enable a currently denied privileged ability, add subranges to such an ability, or inherit such an ability | — |
channel_connect PROCMGR_AID_CHANNEL_CONNECT |
Yes | Connect to channels belonging to other processes and that have a type ID other than 0. For more information, see Security Policies. | Allowable channel type IDs |
child_newapp PROCMGR_AID_CHILD_NEWAPP |
Yes | Create a new application ID for a child process by setting POSIX_SPAWN_NEWAPP for posix_spawn() or posix_spawnp(), or SPAWN_NEWAPP for the spawn*() functions | — |
chroot PROCMGR_AID_CHROOT |
Yes | Change the process's root directory by calling chroot(). | — |
clockset PROCMGR_AID_CLOCKSET |
Yes | Set the clock, using clock_settime(), settimeofday(), ClockAdjust(), or ClockTime() | Allowable times, in nanoseconds |
confset PROCMGR_AID_CONFSET |
Yes | Set configuration strings, using confstr() | Allowable names (_CS_*) |
connection PROCMGR_AID_CONNECTION |
Yes |
|
— |
cpumode PROCMGR_AID_CPUMODE |
Yes | Change the CPU's power management mode | Allowable modes |
default_timer_tolerance PROCMGR_AID_DEFAULT_TIMER_TOLERANCE |
Yes | Set the default timer tolerance for another process, using procmgr_timer_tolerance() | — |
event PROCMGR_AID_EVENT |
Yes | Trigger privileged system-wide events, using procmgr_event_trigger() or procmgr_event_trigger_updateable() | Trigger bits |
fork PROCMGR_AID_FORK |
No | Create a new process by calling fork() | — |
getid PROCMGR_AID_GETID |
Yes | Get the group ID or session ID of a process outside the calling process's session, by using getpgid() or getsid(), respectively | — |
high_resolution_timer PROCMGR_AID_HIGH_RESOLUTION_TIMER |
Yes | Set the timer tolerance to a value between 0 and the clock period, by calling timer_settime(), timer_timeout(), TimerSettime(), or TimerTimeout() | — |
interrupt PROCMGR_AID_INTERRUPT |
Yes | Attach to an interrupt by calling InterruptAttachEvent() or InterruptAttachThread(). | Interrupt sources |
io PROCMGR_AID_IO |
Yes | Request I/O privileges by calling ThreadCtl() with the _NTO_TCTL_IO_LEVEL, _NTO_TCTL_IO, or _NTO_TCTL_IO_PRIV command. | Level: 0 for _NTO_IO_LEVEL_1 or _NTO_TCTL_IO, or 1 for _NTO_IO_LEVEL_2 or _NTO_TCTL_IO_PRIV |
mac_policy PROCMGR_AID_MAC_POLICY |
Yes | Change the security policy that procnto enforces; see secpolpush in the Utilities Reference | — |
map_fixed PROCMGR_AID_MAP_FIXED |
No | Use mmap() with MAP_FIXED to map fixed addresses (including zero) | Allowable virtual addresses |
mem_add PROCMGR_AID_MEM_ADD |
Yes | Add physical memory | Allowable physical addresses |
mem_lock PROCMGR_AID_MEM_LOCK |
Yes | Lock a range of process address space into physical memory, by calling mlock() or mlockall() | Allowable virtual addresses |
mem_peer PROCMGR_AID_MEM_PEER |
Yes | Manipulate a peer process's memory | Peer user IDs |
mem_phys PROCMGR_AID_MEM_PHYS |
Yes |
|
Allowable physical addresses |
mem_special PROCMGR_AID_MEM_SPECIAL |
Yes | Call shm_ctl_special() | — |
mountifs PROCMGR_AID_MOUNTIFS |
Yes | Controls the ability of a process to mount secondary image file systems. For more information, see the mount_ifs entry in the Utilities Reference. | — |
msg_queue PROCMGR_AID_MSG_QUEUE |
Yes | Create kernel message queues. | — |
pathspace PROCMGR_AID_PATHSPACE |
Yes | Add items to the procnto pathname prefix space, specifically to create symbolic links by calling pathmgr_symlink(), or to register names in the path space by calling resmgr_attach() | — |
path_trust PROCMGR_AID_PATH_TRUST |
Yes | Indicate that a filesystem is trusted.
|
— |
pgrp PROCMGR_AID_PGRP |
No | Set its process group ID, by calling setpgrp() or procmgr_session(). This ability is enabled by default (for POSIX conformance). | Process IDs |
power PROCMGR_AID_POWER |
Yes | Set power-management parameters | — |
priority PROCMGR_AID_PRIORITY |
Yes |
The maximum unprivileged priority is usually 63, but is governed by the -P option to procnto. |
Allowable priorities |
privreg PROCMGR_AID_PRIVREG |
Yes | Use the DCMD_PROC_GETREGSET and DCMD_PROC_SETREGSET
devctl() commands to get and set privileged registers in the
range from REGSET_STARTPRIV and up. See Controlling processes via the /proc filesystemin the Processeschapter of the QNX OS Programmer's Guide. |
— |
prot_exec PROCMGR_AID_PROT_EXEC |
No | Load code by calling dlopen() or map memory as executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_EXEC | Allowable virtual addresses |
prot_write_and_exec PROCMGR_AID_PROT_WRITE_AND_EXEC |
No | Simultaneously map memory as writable and executable by calling mmap(), mmap_device_memory(), or mprotect() with PROT_WRITE | PROT_EXEC | Allowable virtual addresses |
public_channel PROCMGR_AID_PUBLIC_CHANNEL |
No | Create a public channel by calling ChannelCreate() without setting _NTO_CHF_PRIVATE. Resource managers need this ability to create a public channel when they call dispatch_create_channel() or dispatch_create(). Programs that aren't resource managers need it to create a public channel when they call name_attach(). | — |
qvm PROCMGR_AID_QVM |
Yes | Reserved for the hypervisor | — |
rconstraint PROCMGR_AID_RCONSTRAINT |
No | Operate without any resource constraints. For more information, see Resource constraint thresholdsin the Processeschapter of the QNX OS Programmer's Guide. |
— |
reboot PROCMGR_AID_REBOOT |
Yes | Cause the system to reboot by calling sysmgr_reboot() | — |
rlimit PROCMGR_AID_RLIMIT |
Yes | Use setrlimit() to raise hard limits on system resources | Limits (RLIMIT_*) that it can raise |
rlimit_peer PROCMGR_AID_RLIMIT_PEER |
Yes | Change limits on system resources for other processes. | Allowable user IDs |
rsrcdbmgr PROCMGR_AID_RSRCDBMGR |
Yes | Use the rsrcdbmgr*() functions to manipulate the resource database manager | — |
sandbox PROCMGR_AID_SANDBOX |
Yes | Not used. | — |
schedule PROCMGR_AID_SCHEDULE |
Yes | Use SchedCtl() with the SCHED_CONFIGURE command, SchedGet(), sched_getparam(), sched_getscheduler(), SchedSet(), sched_setparam(), or sched_setscheduler() to get or set the scheduling policy and parameters for a process whose user ID is different from the calling process's real or effective user ID | — |
server_monitor PROCMGR_AID_SERVER_MONITOR |
Yes | Register with the process manager to be notified when servers don't respond to unblock requests promptly enough; see server-monitor in the Utilities Reference. | — |
session PROCMGR_AID_SESSION |
Yes | Use procmgr_session() to change a character terminal's process group or to send a signal to a member of a session group | Allowable session IDs |
setgid PROCMGR_AID_SETGID |
Yes | Set its real or effective group ID to values other than its real or effective group ID or its saved set-group ID, by calling setgid(), setegid(), setregid(), or change or delete its supplementary group IDs by calling setgroups() | Allowable group IDs |
settypeid PROCMGR_AID_SETTYPEID |
Yes | Specify a type identifier in a call to posix_spawn() or to call secpol_transition_type(). This ability supports subranges that control which type identifiers a process is able to use. A process may not even spawn a process or set its type to its current type if it lacks the ability. For more information, see Security Policies. | Allowable type IDs |
setuid PROCMGR_AID_SETUID |
Yes | Set its real or effective user ID to values other than its real or effective user ID or its saved set-user ID, by calling seteuid(), setuid(), or setreuid() | Allowable user IDs |
sigev_thread PROCMGR_AID_SIGEV_THREAD |
No | Use a SIGEV_THREAD sigevent. For a registered event, the ability check is done only when you call MsgRegisterEvent(). Other C library functions that are passed a sigevent as an argument do the ability check only for an unregistered SIGEV_THREAD event. These functions include InterruptAttachEvent(), MsgDeliverEvent(), procmgr_event_notify(), procmgr_event_notify_add(), procmgr_value_notify_add(), SyncCtl(), ThreadCtlExt(), TimerCreate(), and TimerTimeout(). | — |
signal PROCMGR_AID_SIGNAL |
Yes |
|
Allowable signals |
spawn PROCMGR_AID_SPAWN |
No | Spawn new processes by calling exec*(), spawn*, or posix_spawn() | — |
spawn_setgid PROCMGR_AID_SPAWN_SETGID |
Yes | Set the group ID of the child process when using posix_spawn() | Allowable group IDs |
spawn_setuid PROCMGR_AID_SPAWN_SETUID |
Yes | Set the user ID of the child process when using posix_spawn() | Allowable user IDs |
srandom PROCMGR_AID_SRANDOM |
Yes | Use SysSrandom() to query the kernel for entropy | — |
swap PROCMGR_AID_SWAP |
Yes | Enable, disable, or configure the memory swapper | — |
trace PROCMGR_AID_TRACE |
Yes | Control or configure the kernel tracing subsystem. | — |
umask PROCMGR_AID_UMASK |
Yes | Change the file-mode creation mask for a process with a different effective user ID | — |
untrusted_exec PROCMGR_AID_UNTRUSTED_EXEC |
No | Execute files from an untrusted filesystem. For more information, see Pathtrust and the description of PROT_EXEC in the entry for mmap(). | — |
wait PROCMGR_AID_WAIT |
Yes | Use wait(), wait3(), wait4(), waitid(), or waitpid() to wait for the status of a terminated child process whose real or saved user ID is different from the calling process's real or effective user ID | Child process IDs |
xprocess_able PROCMGR_AID_XPROCESS_ABLE |
Yes | Change the abilities of another process. | — |
xprocess_debug PROCMGR_AID_XPROCESS_DEBUG |
Yes |
|
User IDs that can be accessed |
xprocess_mem_read PROCMGR_AID_XPROCESS_MEM_READ |
Yes | Open for reading the /proc/pid/as file of another process that's running as a different user ID than the requesting process. This ability is required to create core files, for full pidin functionality, and for debugging another process. | User IDs that can be accessed |
xprocess_query PROCMGR_AID_XPROCESS_QUERY |
Yes |
|
Allowable user IDs |
Custom abilities
The currently defined custom abilites are listed below. For more details about creating and using custom abilities, see procmgr_ability_lookup() and procmgr_ability_create().
- The filesystem event manager (fsevmgr) uses the following:
Name Constant Controls the process's ability to: fsevmgr/qnxext INOTIFY_ABILITY_QNX_EXT Check for processes that want to listen to any of the QNX extended inotify events. fsevmgr/recurse INOTIFY_ABILITY_RECURSE Reserved for future use. For more information, see inotify_qnx_ext().
- The resource manager library creates the following:
Name Constant Controls the process's ability to: iofunc/chown IOFUNC_ABILITY_CHOWN Change the ownership of a file to a different UID or to change the GID of a file to a GID that the process does not belong to. iofunc/dup IOFUNC_ABILITY_DUP Obtain a duplicate of any process's file descriptor. iofunc/exec IOFUNC_ABILITY_EXEC Access files or directories within directories for which POSIX permissions and ACLs would prohibit access. Also allows the ability to execute files the process does not have execute permission for. iofunc/read IOFUNC_ABILITY_READ Open a file for read where POSIX permissions and ACLs would prohibit access. A process should usually not be given the permissions granted by these abilities.
- The General Purpose Input/Output (GPIO) system uses the following:
Name Constant Controls the process's ability to: io-gpio/all — ** - The io-sock networking manager uses the following:
Name Used by io-sock to: network/privport Bind a privileged port (low port number). network/rawsocket Control who can open a raw socket that uses Internet protocol family definitions provided by netinet/in.h. Required by utilities such as ping. network/reuseport Control who can connect to a socket on the same port as another connection created by another user and to which the IP_BINDMULTI or SO_REUSEPORT socket options are applied. network/ipsec Control who can administer IPsec. network/admin Control the abilities that are not provided by another ability, but that a networking component generally requires (e.g., create and bring up interfaces, set the socket manager state via sysctl). Required by utilities such as dhclient. For more information, see
Privilege Control
in the High-Performance Networking Stack User's Guide. - The smmuman service uses the following:
Name Constant Controls the process's ability to: smmu/attach SMMU_ABILITY_ATTACH_NAME Connect to the SMMUMAN service smmu/target SMMU_ABILITY_TARGET_NAME Use the SMF_TARGET flag with the smmu_mapping_add() function For more information, see the SMMUMAN User's Guide.
- The block I/O system uses most of the following abilities to govern the use of some
devctl() commands:
Name Constant Controls the process's ability to: vfs/fs-control BLK_ABILITY_FSCTL Use the DCMD_FSYS_CTL argument. (For internal use only) vfs/mount-blk BLK_ABILITY_MOUNTVFS Use mount and umount. vfs/pregrow BLK_ABILITY_PREGROW Use the DCMD_FSYS_PREGROW_FILE argument. vfs/relearn BLK_ABILITY_RELEARN Use the DCMD_BLK_FORCE_RELEARN and DCMD_FSYS_FORCE_RELEARN arguments. vfs/stats-clear BLK_ABILITY_STATSCLEAR Use the DCMD_FSYS_STATISTICS and DCMD_FSYS_STATISTICS_CLR arguments. For more information, see Devctl and Ioctl Commands and the Utilities Reference.