Copyright (c) 2008-2010 Robert N. M. Watson Copyright (c) 2012-2013 The FreeBSD Foundation All rights reserved. This software was developed at the University of Cambridge Computer Laboratory with support from a grant from Google, Inc. Portions of this documentation were written by Pawel Jakub Dawidek under sponsorship from the FreeBSD Foundation. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1....
NAMEcap_rights_limit - limit capability rights
SYNOPSISIn sys/capsicum.h Ft int Fn cap_rights_limit int fd const cap_rights_t *rights
DESCRIPTIONWhen a file descriptor is created by a function such as accept(2), accept4(2), fhopen(2), kqueue(2), mq_open2, open(2), openat(2), pdfork(2), pipe(2), shm_open2, socket(2) or socketpair(2), it is assigned all capability rights. Those rights can be reduced (but never expanded) by using the Fn cap_rights_limit system call. Once capability rights are reduced, operations on the file descriptor will be limited to those permitted by Fa rights .
The Fa rights argument should be prepared using cap_rights_init3 family of functions.
Capability rights assigned to a file descriptor can be obtained with the cap_rights_get3 function.
The complete list of the capability rights can be found in the rights(4) manual page.
RETURN VALUESRv -std
EXAMPLESThe following example demonstrates how to limit file descriptor capability rights to allow reading only.
cap_rights_t setrights; char buf; int fd; fd = open("/tmp/foo", O_RDWR); if (fd < 0) err(1, "open() failed"); if (cap_enter() < 0) err(1, "cap_enter() failed"); cap_rights_init(&setrights, CAP_READ); if (cap_rights_limit(fd, &setrights) < 0) err(1, "cap_rights_limit() failed"); buf = 'X'; if (write(fd, buf, sizeof(buf)) > 0) errx(1, "write() succeeded!"); if (read(fd, buf, sizeof(buf)) < 0) err(1, "read() failed");
ERRORSFn cap_rights_limit succeeds unless:
- Bq Er EBADF
- The Fa fd argument is not a valid active descriptor.
- Bq Er EINVAL
- An invalid right has been requested in Fa rights .
- Bq Er ENOTCAPABLE
- The Fa rights argument contains capability rights not present for the given file descriptor. Capability rights list can only be reduced, never expanded.