mirror of https://github.com/mkerrisk/man-pages
prctl.2: Document operations for ambient capabilities
Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
3a0c27f88e
commit
e81a96ecbd
13
man2/prctl.2
13
man2/prctl.2
|
@ -954,6 +954,19 @@ had been called.
|
|||
For further information on Intel MPX, see the kernel source file
|
||||
.IR Documentation/x86/intel_mpx.txt .
|
||||
.\"
|
||||
.TP
|
||||
.BR PR_CAP_AMBIENT " (since Linux 4.2)"
|
||||
Reads or changes the ambient capability set. If arg2 is PR_CAP_AMBIENT_RAISE,
|
||||
then the capability specified in arg3 is added to the ambient set. This will
|
||||
fail, returning EPERM, if the capability is not already both permitted and
|
||||
inheritable or if the SECBIT_NO_CAP_AMBIENT_RAISE securebit is set. If arg2
|
||||
is PR_CAP_AMBIENT_LOWER, then the capability specified in arg3 is removed
|
||||
from the ambient set. If arg2 is PR_CAP_AMBIENT_IS_SET, then
|
||||
.BR prctl (2)
|
||||
will return 1 if the capability in arg3 is in the ambient set and 0 if not.
|
||||
If arg2 is PR_CAP_AMBIENT_CLEAR_ALL, then all capabilities will
|
||||
be removed from the ambient set. (Using PR_CAP_AMBIENT_CLEAR_ALL requires
|
||||
setting arg3 to zero.)
|
||||
.SH RETURN VALUE
|
||||
On success,
|
||||
.BR PR_GET_DUMPABLE ,
|
||||
|
|
Loading…
Reference in New Issue