capng_lock(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | SEE ALSO | AUTHOR | COLOPHON

CAPNG_LOCK(3)                 Libcap-ng API                CAPNG_LOCK(3)

NAME         top

       capng_lock - lock the current process capabilities settings

SYNOPSIS         top

       #include <cap-ng.h>

       int capng_lock(void);

DESCRIPTION         top

       capng_lock will take steps to prevent children of the current
       process to regain full privileges if the uid is 0. This should be
       called while possessing the CAP_SETPCAP capability in the kernel.
       This function will do the following if permitted by the kernel:
       Set the NOROOT option on for PR_SET_SECUREBITS, set the
       NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the
       PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the
       PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.

RETURN VALUE         top

       This returns 0 on success and a negative number on failure. -1
       means a failure setting any of the PR_SET_SECUREBITS options.

SEE ALSO         top

       capng_apply(3), prctl(2), capabilities(7)

AUTHOR         top

       Steve Grubb

COLOPHON         top

       This page is part of the libcap-ng (capabilities commands and
       library (NG)) project.  Information about the project can be
       found at ⟨https://people.redhat.com/sgrubb/libcap-ng/⟩.  It is
       not known how to report bugs for this man page; if you know,
       please send a mail to [email protected].  This page was obtained
       from the tarball libcap-ng-0.8.5.tar.gz fetched from
       ⟨https://people.redhat.com/sgrubb/libcap-ng/index.html⟩ on
       2024-06-14.  If you discover any rendering problems in this HTML
       version of the page, or you believe there is a better or more up-
       to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not
       part of the original manual page), send a mail to
       [email protected]

Red Hat                         June 2009                  CAPNG_LOCK(3)