16f62d278SPawel Jakub Dawidek.\" 26f62d278SPawel Jakub Dawidek.\" Copyright (c) 2013 The FreeBSD Foundation 36f62d278SPawel Jakub Dawidek.\" 46f62d278SPawel Jakub Dawidek.\" This documentation was written by Pawel Jakub Dawidek under sponsorship 56f62d278SPawel Jakub Dawidek.\" from the FreeBSD Foundation. 66f62d278SPawel Jakub Dawidek.\" 76f62d278SPawel Jakub Dawidek.\" Redistribution and use in source and binary forms, with or without 86f62d278SPawel Jakub Dawidek.\" modification, are permitted provided that the following conditions 96f62d278SPawel Jakub Dawidek.\" are met: 106f62d278SPawel Jakub Dawidek.\" 1. Redistributions of source code must retain the above copyright 116f62d278SPawel Jakub Dawidek.\" notice, this list of conditions and the following disclaimer. 126f62d278SPawel Jakub Dawidek.\" 2. Redistributions in binary form must reproduce the above copyright 136f62d278SPawel Jakub Dawidek.\" notice, this list of conditions and the following disclaimer in the 146f62d278SPawel Jakub Dawidek.\" documentation and/or other materials provided with the distribution. 156f62d278SPawel Jakub Dawidek.\" 166f62d278SPawel Jakub Dawidek.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 176f62d278SPawel Jakub Dawidek.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 186f62d278SPawel Jakub Dawidek.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 196f62d278SPawel Jakub Dawidek.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 206f62d278SPawel Jakub Dawidek.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 216f62d278SPawel Jakub Dawidek.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 226f62d278SPawel Jakub Dawidek.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 236f62d278SPawel Jakub Dawidek.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 246f62d278SPawel Jakub Dawidek.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 256f62d278SPawel Jakub Dawidek.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 266f62d278SPawel Jakub Dawidek.\" SUCH DAMAGE. 276f62d278SPawel Jakub Dawidek.\" 28*a7100ae2SMariusz Zaborski.Dd November 25, 2023 296f62d278SPawel Jakub Dawidek.Dt CAP_RIGHTS_INIT 3 306f62d278SPawel Jakub Dawidek.Os 316f62d278SPawel Jakub Dawidek.Sh NAME 326f62d278SPawel Jakub Dawidek.Nm cap_rights_init , 336f62d278SPawel Jakub Dawidek.Nm cap_rights_set , 346f62d278SPawel Jakub Dawidek.Nm cap_rights_clear , 356f62d278SPawel Jakub Dawidek.Nm cap_rights_is_set , 36*a7100ae2SMariusz Zaborski.Nm cap_rights_is_empty , 376f62d278SPawel Jakub Dawidek.Nm cap_rights_is_valid , 386f62d278SPawel Jakub Dawidek.Nm cap_rights_merge , 396f62d278SPawel Jakub Dawidek.Nm cap_rights_remove , 406f62d278SPawel Jakub Dawidek.Nm cap_rights_contains 416f62d278SPawel Jakub Dawidek.Nd manage cap_rights_t structure 426f62d278SPawel Jakub Dawidek.Sh LIBRARY 436f62d278SPawel Jakub Dawidek.Lb libc 446f62d278SPawel Jakub Dawidek.Sh SYNOPSIS 45cf321a51SRobert Watson.In sys/capsicum.h 466f62d278SPawel Jakub Dawidek.Ft cap_rights_t * 476f62d278SPawel Jakub Dawidek.Fn cap_rights_init "cap_rights_t *rights" "..." 486f62d278SPawel Jakub Dawidek.Ft cap_rights_t * 496f62d278SPawel Jakub Dawidek.Fn cap_rights_set "cap_rights_t *rights" "..." 506f62d278SPawel Jakub Dawidek.Ft cap_rights_t * 516f62d278SPawel Jakub Dawidek.Fn cap_rights_clear "cap_rights_t *rights" "..." 526f62d278SPawel Jakub Dawidek.Ft bool 536f62d278SPawel Jakub Dawidek.Fn cap_rights_is_set "const cap_rights_t *rights" "..." 546f62d278SPawel Jakub Dawidek.Ft bool 55*a7100ae2SMariusz Zaborski.Fn cap_rights_is_empty "const cap_rights_t *rights" 56*a7100ae2SMariusz Zaborski.Ft bool 576f62d278SPawel Jakub Dawidek.Fn cap_rights_is_valid "const cap_rights_t *rights" 586f62d278SPawel Jakub Dawidek.Ft cap_rights_t * 596f62d278SPawel Jakub Dawidek.Fn cap_rights_merge "cap_rights_t *dst" "const cap_rights_t *src" 606f62d278SPawel Jakub Dawidek.Ft cap_rights_t * 616f62d278SPawel Jakub Dawidek.Fn cap_rights_remove "cap_rights_t *dst" "const cap_rights_t *src" 626f62d278SPawel Jakub Dawidek.Ft bool 636f62d278SPawel Jakub Dawidek.Fn cap_rights_contains "const cap_rights_t *big" "const cap_rights_t *little" 646f62d278SPawel Jakub Dawidek.Sh DESCRIPTION 656f62d278SPawel Jakub DawidekThe functions documented here allow to manage the 666f62d278SPawel Jakub Dawidek.Vt cap_rights_t 676f62d278SPawel Jakub Dawidekstructure. 686f62d278SPawel Jakub Dawidek.Pp 696f62d278SPawel Jakub DawidekCapability rights should be separated with comma when passed to the 706f62d278SPawel Jakub Dawidek.Fn cap_rights_init , 716f62d278SPawel Jakub Dawidek.Fn cap_rights_set , 726f62d278SPawel Jakub Dawidek.Fn cap_rights_clear 736f62d278SPawel Jakub Dawidekand 746f62d278SPawel Jakub Dawidek.Fn cap_rights_is_set 756f62d278SPawel Jakub Dawidekfunctions. 766f62d278SPawel Jakub DawidekFor example: 776f62d278SPawel Jakub Dawidek.Bd -literal 786f62d278SPawel Jakub Dawidekcap_rights_set(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT, CAP_SEEK); 796f62d278SPawel Jakub Dawidek.Ed 806f62d278SPawel Jakub Dawidek.Pp 816f62d278SPawel Jakub DawidekThe complete list of the capability rights can be found in the 826f62d278SPawel Jakub Dawidek.Xr rights 4 836f62d278SPawel Jakub Dawidekmanual page. 846f62d278SPawel Jakub Dawidek.Pp 856f62d278SPawel Jakub DawidekThe 866f62d278SPawel Jakub Dawidek.Fn cap_rights_init 876f62d278SPawel Jakub Dawidekfunction initialize provided 886f62d278SPawel Jakub Dawidek.Vt cap_rights_t 896f62d278SPawel Jakub Dawidekstructure. 906f62d278SPawel Jakub DawidekOnly properly initialized structure can be passed to the remaining functions. 916f62d278SPawel Jakub DawidekFor convenience the structure can be filled with capability rights instead of 926f62d278SPawel Jakub Dawidekcalling the 936f62d278SPawel Jakub Dawidek.Fn cap_rights_set 946f62d278SPawel Jakub Dawidekfunction later. 956f62d278SPawel Jakub DawidekFor even more convenience pointer to the given structure is returned, so it can 966f62d278SPawel Jakub Dawidekbe directly passed to 976f62d278SPawel Jakub Dawidek.Xr cap_rights_limit 2 : 986f62d278SPawel Jakub Dawidek.Bd -literal 996f62d278SPawel Jakub Dawidekcap_rights_t rights; 1006f62d278SPawel Jakub Dawidek 1016f62d278SPawel Jakub Dawidekif (cap_rights_limit(fd, cap_rights_init(&rights, CAP_READ, CAP_WRITE)) < 0) 1026f62d278SPawel Jakub Dawidek err(1, "Unable to limit capability rights"); 1036f62d278SPawel Jakub Dawidek.Ed 1046f62d278SPawel Jakub Dawidek.Pp 1056f62d278SPawel Jakub DawidekThe 1066f62d278SPawel Jakub Dawidek.Fn cap_rights_set 1076f62d278SPawel Jakub Dawidekfunction adds the given capability rights to the given 1086f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1096f62d278SPawel Jakub Dawidekstructure. 1106f62d278SPawel Jakub Dawidek.Pp 1116f62d278SPawel Jakub DawidekThe 1126f62d278SPawel Jakub Dawidek.Fn cap_rights_clear 1136f62d278SPawel Jakub Dawidekfunction removes the given capability rights from the given 1146f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1156f62d278SPawel Jakub Dawidekstructure. 1166f62d278SPawel Jakub Dawidek.Pp 1176f62d278SPawel Jakub DawidekThe 1186f62d278SPawel Jakub Dawidek.Fn cap_rights_is_set 1196f62d278SPawel Jakub Dawidekfunction checks if all the given capability rights are set for the given 1206f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1216f62d278SPawel Jakub Dawidekstructure. 1226f62d278SPawel Jakub Dawidek.Pp 1236f62d278SPawel Jakub DawidekThe 124*a7100ae2SMariusz Zaborski.Fn cap_rights_is_empty 125*a7100ae2SMariusz Zaborskifunction checks if the 126*a7100ae2SMariusz Zaborski.Fa rights 127*a7100ae2SMariusz Zaborskistructure is empty. 128*a7100ae2SMariusz Zaborski.Pp 129*a7100ae2SMariusz ZaborskiThe 1306f62d278SPawel Jakub Dawidek.Fn cap_rights_is_valid 1316f62d278SPawel Jakub Dawidekfunction verifies if the given 1326f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1336f62d278SPawel Jakub Dawidekstructure is valid. 1346f62d278SPawel Jakub Dawidek.Pp 1356f62d278SPawel Jakub DawidekThe 1366f62d278SPawel Jakub Dawidek.Fn cap_rights_merge 1376f62d278SPawel Jakub Dawidekfunction merges all capability rights present in the 1386f62d278SPawel Jakub Dawidek.Fa src 1396f62d278SPawel Jakub Dawidekstructure into the 1406f62d278SPawel Jakub Dawidek.Fa dst 1416f62d278SPawel Jakub Dawidekstructure. 1426f62d278SPawel Jakub Dawidek.Pp 1436f62d278SPawel Jakub DawidekThe 1446f62d278SPawel Jakub Dawidek.Fn cap_rights_remove 1456f62d278SPawel Jakub Dawidekfunction removes all capability rights present in the 1466f62d278SPawel Jakub Dawidek.Fa src 1476f62d278SPawel Jakub Dawidekstructure from the 1486f62d278SPawel Jakub Dawidek.Fa dst 1496f62d278SPawel Jakub Dawidekstructure. 1506f62d278SPawel Jakub Dawidek.Pp 1516f62d278SPawel Jakub DawidekThe 1526f62d278SPawel Jakub Dawidek.Fn cap_rights_contains 1536f62d278SPawel Jakub Dawidekfunction checks if the 1546f62d278SPawel Jakub Dawidek.Fa big 1556f62d278SPawel Jakub Dawidekstructure contains all capability rights present in the 1566f62d278SPawel Jakub Dawidek.Fa little 1576f62d278SPawel Jakub Dawidekstructure. 1586f62d278SPawel Jakub Dawidek.Sh RETURN VALUES 1596f62d278SPawel Jakub DawidekThe functions never fail. 1606f62d278SPawel Jakub DawidekIn case an invalid capability right or an invalid 1616f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1626f62d278SPawel Jakub Dawidekstructure is given as an argument, the program will be aborted. 1636f62d278SPawel Jakub Dawidek.Pp 1646f62d278SPawel Jakub DawidekThe 1656f62d278SPawel Jakub Dawidek.Fn cap_rights_init , 1666f62d278SPawel Jakub Dawidek.Fn cap_rights_set 1676f62d278SPawel Jakub Dawidekand 1686f62d278SPawel Jakub Dawidek.Fn cap_rights_clear 1696f62d278SPawel Jakub Dawidekfunctions return pointer to the 1706f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1716f62d278SPawel Jakub Dawidekstructure given in the 1726f62d278SPawel Jakub Dawidek.Fa rights 1736f62d278SPawel Jakub Dawidekargument. 1746f62d278SPawel Jakub Dawidek.Pp 1756f62d278SPawel Jakub DawidekThe 1766f62d278SPawel Jakub Dawidek.Fn cap_rights_merge 1776f62d278SPawel Jakub Dawidekand 1786f62d278SPawel Jakub Dawidek.Fn cap_rights_remove 1796f62d278SPawel Jakub Dawidekfunctions return pointer to the 1806f62d278SPawel Jakub Dawidek.Vt cap_rights_t 1816f62d278SPawel Jakub Dawidekstructure given in the 1826f62d278SPawel Jakub Dawidek.Fa dst 1836f62d278SPawel Jakub Dawidekargument. 1846f62d278SPawel Jakub Dawidek.Pp 1856f62d278SPawel Jakub DawidekThe 1866f62d278SPawel Jakub Dawidek.Fn cap_rights_is_set 1876f62d278SPawel Jakub Dawidekreturns 1886f62d278SPawel Jakub Dawidek.Va true 1896f62d278SPawel Jakub Dawidekif all the given capability rights are set in the 1906f62d278SPawel Jakub Dawidek.Fa rights 1916f62d278SPawel Jakub Dawidekargument. 1926f62d278SPawel Jakub Dawidek.Pp 1936f62d278SPawel Jakub DawidekThe 194*a7100ae2SMariusz Zaborski.Fn cap_rights_is_empty 195*a7100ae2SMariusz Zaborskifunction returns 196*a7100ae2SMariusz Zaborski.Va true 197*a7100ae2SMariusz Zaborskiif none of the capability rights are set in the 198*a7100ae2SMariusz Zaborski.Fa rights 199*a7100ae2SMariusz Zaborskistructure. 200*a7100ae2SMariusz Zaborski.Pp 201*a7100ae2SMariusz ZaborskiThe 2026f62d278SPawel Jakub Dawidek.Fn cap_rights_is_valid 2036f62d278SPawel Jakub Dawidekfunction performs various checks to see if the given 2046f62d278SPawel Jakub Dawidek.Vt cap_rights_t 2056f62d278SPawel Jakub Dawidekstructure is valid and returns 2066f62d278SPawel Jakub Dawidek.Va true 2076f62d278SPawel Jakub Dawidekif it is. 2086f62d278SPawel Jakub Dawidek.Pp 2096f62d278SPawel Jakub DawidekThe 2106f62d278SPawel Jakub Dawidek.Fn cap_rights_contains 2116f62d278SPawel Jakub Dawidekfunction returns 2126f62d278SPawel Jakub Dawidek.Va true 2136f62d278SPawel Jakub Dawidekif all capability rights set in the 2146f62d278SPawel Jakub Dawidek.Fa little 2156f62d278SPawel Jakub Dawidekstructure are also present in the 2166f62d278SPawel Jakub Dawidek.Fa big 2176f62d278SPawel Jakub Dawidekstructure. 2186f62d278SPawel Jakub Dawidek.Sh EXAMPLES 2196f62d278SPawel Jakub DawidekThe following example demonstrates how to prepare a 2206f62d278SPawel Jakub Dawidek.Vt cap_rights_t 2216f62d278SPawel Jakub Dawidekstructure to be passed to the 2226f62d278SPawel Jakub Dawidek.Xr cap_rights_limit 2 2236f62d278SPawel Jakub Dawideksystem call. 2246f62d278SPawel Jakub Dawidek.Bd -literal 2256f62d278SPawel Jakub Dawidekcap_rights_t rights; 2266f62d278SPawel Jakub Dawidekint fd; 2276f62d278SPawel Jakub Dawidek 2286f62d278SPawel Jakub Dawidekfd = open("/tmp/foo", O_RDWR); 2296f62d278SPawel Jakub Dawidekif (fd < 0) 2306f62d278SPawel Jakub Dawidek err(1, "open() failed"); 2316f62d278SPawel Jakub Dawidek 2326f62d278SPawel Jakub Dawidekcap_rights_init(&rights, CAP_FSTAT, CAP_READ); 2336f62d278SPawel Jakub Dawidek 2346f62d278SPawel Jakub Dawidekif (allow_write_and_seek) 2356f62d278SPawel Jakub Dawidek cap_rights_set(&rights, CAP_WRITE, CAP_SEEK); 2366f62d278SPawel Jakub Dawidek 2376f62d278SPawel Jakub Dawidekif (dont_allow_seek) 2386f62d278SPawel Jakub Dawidek cap_rights_clear(&rights, CAP_SEEK); 2396f62d278SPawel Jakub Dawidek 2406f62d278SPawel Jakub Dawidekif (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) 2416f62d278SPawel Jakub Dawidek err(1, "cap_rights_limit() failed"); 2426f62d278SPawel Jakub Dawidek.Ed 2436f62d278SPawel Jakub Dawidek.Sh SEE ALSO 2446f62d278SPawel Jakub Dawidek.Xr cap_rights_limit 2 , 2456f62d278SPawel Jakub Dawidek.Xr open 2 , 2466f62d278SPawel Jakub Dawidek.Xr capsicum 4 , 2476f62d278SPawel Jakub Dawidek.Xr rights 4 2486f62d278SPawel Jakub Dawidek.Sh HISTORY 249421f325eSGordon BerglingThe functions 250421f325eSGordon Bergling.Fn cap_rights_init , 251421f325eSGordon Bergling.Fn cap_rights_set , 252421f325eSGordon Bergling.Fn cap_rights_clear , 253421f325eSGordon Bergling.Fn cap_rights_is_set , 254421f325eSGordon Bergling.Fn cap_rights_is_valid , 255421f325eSGordon Bergling.Fn cap_rights_merge , 256421f325eSGordon Bergling.Fn cap_rights_remove 257421f325eSGordon Berglingand 258421f325eSGordon Bergling.Fn cap_rights_contains 259421f325eSGordon Berglingfirst appeared in 260421f325eSGordon Bergling.Fx 8.3 . 2616f62d278SPawel Jakub DawidekSupport for capabilities and capabilities mode was developed as part of the 2626f62d278SPawel Jakub Dawidek.Tn TrustedBSD 2636f62d278SPawel Jakub DawidekProject. 2646f62d278SPawel Jakub Dawidek.Sh AUTHORS 2656f62d278SPawel Jakub DawidekThis family of functions was created by 2668fbf3d50SBaptiste Daroussin.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net 2676f62d278SPawel Jakub Dawidekunder sponsorship from the FreeBSD Foundation. 268