NAME

cap_fcntls_limit, cap_fcntls_get —

manage allowed fcntl commands

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <sys/capsicum.h>

int
cap_fcntls_limit(int fd, uint32_t fcntlrights);

int
cap_fcntls_get(int fd, uint32_t *fcntlrightsp);

DESCRIPTION

If a file descriptor is granted the CAP_FCNTL capability right, the list of allowed fcntl(2) commands can be selectively reduced (but never expanded) with the cap_fcntls_limit() system call.

A bitmask of allowed fcntls commands for a given file descriptor can be obtained with the cap_fcntls_get() system call.

FLAGS

The following flags may be specified in the fcntlrights argument or returned in the fcntlrightsp argument:

CAP_FCNTL_GETFL: Permit F_GETFL command.
CAP_FCNTL_SETFL: Permit F_SETFL command.
CAP_FCNTL_GETOWN: Permit F_GETOWN command.
CAP_FCNTL_SETOWN: Permit F_SETOWN command.

RETURN VALUES

Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.

ERRORS

cap_fcntls_limit() succeeds unless:

[EBADF]: The fd argument is not a valid descriptor.
[EINVAL]: An invalid flag has been passed in fcntlrights.
[ENOTCAPABLE]: fcntlrights would expand the list of allowed fcntl(2) commands.

cap_fcntls_get() succeeds unless:

[EBADF]: The fd argument is not a valid descriptor.
[EFAULT]: The fcntlrightsp argument points at an invalid address.

HISTORY

The cap_fcntls_get() and cap_fcntls_limit() system calls first appeared in FreeBSD 8.3. Support for capabilities and capabilities mode was developed as part of the TrustedBSD Project.

AUTHORS

This function was created by Pawel Jakub Dawidek <pawel@dawidek.net> under sponsorship of the FreeBSD Foundation.