20 lines
879 B
Plaintext
20 lines
879 B
Plaintext
Allows a process to freely manipulate its inheritable
|
|
capabilities. Linux supports the POSIX.1e Inheritable
|
|
set, as well as Bounding and Ambient Linux extension
|
|
vectors. This capability permits dropping bits from the
|
|
Bounding vector. It also permits the process to raise
|
|
Ambient vector bits that are both raised in the
|
|
Permitted and Inheritable sets of the process. This
|
|
capability cannot be used to raise Permitted bits, or
|
|
Effective bits beyond those already present in the
|
|
process' permitted set.
|
|
|
|
[Historical note: prior to the advent of file
|
|
capabilities (2008), this capability was suppressed by
|
|
default, as its unsuppressed behavior was not
|
|
auditable: it could asynchronously grant its own
|
|
Permitted capabilities to and remove capabilities from
|
|
other processes arbitraily. The former leads to
|
|
undefined behavior, and the latter is better served by
|
|
the kill system call.]
|