capng_lock man page

capng_lock — lock the current process capabilities settings

Synopsis

#include <cap-ng.h>

int capng_lock(void);

Description

capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.

Return Value

This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.

See Also

capng_apply(3), prctl(2), capabilities(7)

Author

Steve Grubb

Info

June 2009 Red Hat Libcap-ng API