diff options
| author | Alejandro Colomar <alx@kernel.org> | 2024-05-26 16:29:12 +0200 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2024-05-30 15:31:14 +0200 |
| commit | 2c29a8a4fb71f38aacf38ca66bc58ef2184be68a (patch) | |
| tree | aa47bc3dea979e0043d9d00523955a6b8edcf2c3 | |
| parent | 12bbec45195be0604e649f03239d73a62da83613 (diff) | |
| download | man-pages-2c29a8a4fb71f38aacf38ca66bc58ef2184be68a.tar.gz | |
prctl.2, PR_CAPBSET_DROP.2const: Split PR_CAPBSET_DROP from prctl(2)
Signed-off-by: Alejandro Colomar <alx@kernel.org>
| -rw-r--r-- | man/man2/prctl.2 | 39 | ||||
| -rw-r--r-- | man/man2const/PR_CAPBSET_DROP.2const | 75 |
2 files changed, 78 insertions, 36 deletions
diff --git a/man/man2/prctl.2 b/man/man2/prctl.2 index be46d221e7..2583ec246e 100644 --- a/man/man2/prctl.2 +++ b/man/man2/prctl.2 @@ -19,7 +19,6 @@ .\" Added PR_SET_TIMING, PR_GET_TIMING, PR_SET_NAME, PR_GET_NAME, .\" PR_SET_UNALIGN, PR_GET_UNALIGN, PR_SET_FPEMU, PR_GET_FPEMU, .\" PR_SET_FPEXC, PR_GET_FPEXC -.\" 2008-04-29 Serge Hallyn, Document PR_CAPBSET_DROP .\" 2008-06-13 Erik Bosman, <ejbosman@cs.vu.nl> .\" Document PR_GET_TSC and PR_SET_TSC. .\" 2008-06-15 mtk, Document PR_SET_SECCOMP, PR_GET_SECCOMP @@ -68,33 +67,8 @@ The first argument can be: .B PR_CAP_AMBIENT .TQ .B PR_CAPBSET_READ -.\" prctl PR_CAPBSET_DROP -.TP -.BR PR_CAPBSET_DROP " (since Linux 2.6.25)" -If the calling thread has the -.B CAP_SETPCAP -capability within its user namespace, then drop the capability specified by -.I arg2 -from the calling thread's capability bounding set. -Any children of the calling thread will inherit the newly -reduced bounding set. -.IP -The call fails with the error: -.B EPERM -if the calling thread does not have the -.BR CAP_SETPCAP ; -.B EINVAL -if -.I arg2 -does not represent a valid capability; or -.B EINVAL -if file capabilities are not enabled in the kernel, -in which case bounding sets are not supported. -.IP -A higher-level interface layered on top of this operation is provided in the -.BR libcap (3) -library in the form of -.BR cap_drop_bound (3). +.TQ +.B PR_CAPBSET_DROP .\" prctl PR_SET_CHILD_SUBREAPER .TP .BR PR_SET_CHILD_SUBREAPER " (since Linux 3.4)" @@ -2338,14 +2312,6 @@ flag is set .B EPERM .I op is -.BR PR_CAPBSET_DROP , -and the caller does not have the -.B CAP_SETPCAP -capability. -.TP -.B EPERM -.I op -is .BR PR_SET_MM , and the caller does not have the .B CAP_SYS_RESOURCE @@ -2389,4 +2355,5 @@ glibc 2.0.6 .BR signal (2), .BR PR_CAP_AMBIENT (2const), .BR PR_CAPBSET_READ (2const), +.BR PR_CAPBSET_DROP (2const), .BR core (5) diff --git a/man/man2const/PR_CAPBSET_DROP.2const b/man/man2const/PR_CAPBSET_DROP.2const new file mode 100644 index 0000000000..9805b4e581 --- /dev/null +++ b/man/man2const/PR_CAPBSET_DROP.2const @@ -0,0 +1,75 @@ +.\" Copyright 2008, Serge Hallyn <serge@hallyn.com> +.\" Copyright 2008, 2012, 2013, 2015, Michael Kerrisk <mtk.manpages@gmail.com> +.\" +.\" SPDX-License-Identifier: Linux-man-pages-copyleft +.\" +.\" 2008-04-29 Serge Hallyn, Document PR_CAPBSET_DROP +.\" +.TH PR_CAPBSET_DROP 2const (date) "Linux man-pages (unreleased)" +.SH NAME +PR_CAPBSET_DROP +\- +drop capabilities from the calling thread's capability bounding set +.SH LIBRARY +Standard C library +.RI ( libc ", " \-lc ) +.SH SYNOPSIS +.nf +.B #include <sys/prctl.h> +.P +.BI "int prctl(int " op ", ..." +.BI " \fR/*\fP unsigned long " arg2 ", unsigned long " arg3 , +.BI " unsigned long " arg4 ", unsigned long " arg5 " \fR*/\fP );" +.fi +.SH DESCRIPTION +.TP +.BR PR_CAPBSET_DROP " (since Linux 2.6.25)" +If the calling thread has the +.B CAP_SETPCAP +capability within its user namespace, then drop the capability specified by +.I arg2 +from the calling thread's capability bounding set. +Any children of the calling thread will inherit the newly +reduced bounding set. +.IP +The call fails with the error: +.B EPERM +if the calling thread does not have the +.BR CAP_SETPCAP ; +.B EINVAL +if +.I arg2 +does not represent a valid capability; or +.B EINVAL +if file capabilities are not enabled in the kernel, +in which case bounding sets are not supported. +.IP +A higher-level interface layered on top of this operation is provided in the +.BR libcap (3) +library in the form of +.BR cap_drop_bound (3). +.SH RETURN VALUE +On success, +values return 0 on success. +On error, \-1 is returned, and +.I errno +is set to indicate the error. +.SH ERRORS +.TP +.B EINVAL +.I arg2 +is not a valid value for this +.IR op . +.TP +.B EPERM +.I op +is +.BR PR_CAPBSET_DROP , +and the caller does not have the +.B CAP_SETPCAP +capability. +.SH STANDARDS +Linux. +.SH HISTORY +.SH SEE ALSO +.BR prctl (2), |