blob: d7654f0ebb44ea6f4e02d5c44bb08d18cb6aa342 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Allows a process to freely manipulate its inheritable
capabilities. Linux supports the POSIX.1e Inheritable
set, as well as Bounding and Ambient Linux extension
vectors. This capability permits dropping bits from the
Bounding vector. It also permits the process to raise
Ambient vector bits that are both raised in the
Permitted and Inheritable sets of the process. This
capability cannot be used to raise Permitted bits, or
Effective bits beyond those already present in the
process' permitted set.
[Historical note: prior to the advent of file
capabilities (2008), this capability was suppressed by
default, as its unsuppressed behavior was not
auditable: it could asynchronously grant its own
Permitted capabilities to and remove capabilities from
other processes arbitrarily. The former leads to
undefined behavior, and the latter is better served by
the kill system call.]
|
