FreeBSD Manual Pages
CAP_IOCTLS_LIMIT(2) System Calls Manual CAP_IOCTLS_LIMIT(2) NAME cap_ioctls_limit, cap_ioctls_get -- manage allowed ioctl commands LIBRARY Standard C Library (libc, -lc) SYNOPSIS #include <sys/capsicum.h> int cap_ioctls_limit(int fd, const unsigned long *cmds, size_t ncmds); ssize_t cap_ioctls_get(int fd, unsigned long *cmds, size_t maxcmds); DESCRIPTION If a file descriptor is granted the CAP_IOCTL capability right, the list of allowed ioctl(2) commands can be selectively reduced (but never expanded) with the cap_ioctls_limit() system call. The cmds argument is an array of ioctl(2) commands and the ncmds argument specifies the number of elements in the array. There can be up to 256 elements in the array. Including an element that has been previously revoked will generate an error. After a successful call only those listed in the array may be used. The list of allowed ioctl commands for a given file descriptor can be obtained with the cap_ioctls_get() system call. The cmds argument points at memory that can hold up to maxcmds values. The function pop- ulates the provided buffer with up to maxcmds elements, but always re- turns the total number of ioctl commands allowed for the given file de- scriptor. The total number of ioctls commands for the given file de- scriptor can be obtained by passing NULL as the cmds argument and 0 as the maxcmds argument. If all ioctl commands are allowed (CAP_IOCTL ca- pability right is assigned to the file descriptor and the cap_ioctls_limit() system call was never called for this file descrip- tor), the cap_ioctls_get() system call will return CAP_IOCTLS_ALL and will not modify the buffer pointed to by the cmds argument. RETURN VALUES The cap_ioctls_limit() function returns the value 0 if successful; oth- erwise the value -1 is returned and the global variable errno is set to indicate the error. The cap_ioctls_get() function, if successful, returns the total number of allowed ioctl commands or the value CAP_IOCTLS_ALL if all ioctls commands are allowed. On failure the value -1 is returned and the global variable errno is set to indicate the error. ERRORS The cap_ioctls_limit() and cap_ioctls_get() system calls will fail if: [EBADF] The fd argument is not a valid descriptor. [EFAULT] The cmds argument points at an invalid address. [ENOSYS] The running kernel was compiled without options CAPABILITY_MODE. The cap_ioctls_limit() system call may also return the following er- rors: [EINVAL] The ncmds argument is greater than 256. [ENOTCAPABLE] cmds would expand the list of allowed ioctl(2) com- mands. SEE ALSO cap_fcntls_limit(2), cap_rights_limit(2), ioctl(2) HISTORY The cap_ioctls_get() and cap_ioctls_limit() system calls first appeared in FreeBSD 8.3. Support for capabilities and capabilities mode was de- veloped as part of the TrustedBSD Project. AUTHORS This function was created by Pawel Jakub Dawidek <pawel@dawidek.net> under sponsorship of the FreeBSD Foundation. FreeBSD 13.2 March 9, 2023 CAP_IOCTLS_LIMIT(2)
NAME | LIBRARY | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=cap_ioctls_limit&sektion=2&manpath=FreeBSD+14.1-RELEASE+and+Ports>