NAME

cap_ioctls_limit, cap_ioctls_getmanage allowed ioctl commands

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <sys/capsicum.h>
int
cap_ioctls_limit(int fd, const unsigned long *cmds, size_t ncmds);
ssize_t
cap_ioctls_get(int fd, unsigned long *cmds, size_t maxcmds);

DESCRIPTION

If a file descriptor is granted the CAP_IOCTL capability right, the list of allowed ioctl(2) commands can be selectively reduced (but never expanded) with the cap_ioctls_limit() system call. The cmds argument is an array of ioctl(2) commands and the ncmds argument specifies the number of elements in the array. There can be up to 256 elements in the array. Including an element that has been previously revoked will generate an error. After a successful call only those listed in the array may be used.
The list of allowed ioctl commands for a given file descriptor can be obtained with the cap_ioctls_get() system call. The cmds argument points at memory that can hold up to maxcmds values. The function populates the provided buffer with up to maxcmds elements, but always returns the total number of ioctl commands allowed for the given file descriptor. The total number of ioctls commands for the given file descriptor can be obtained by passing NULL as the cmds argument and 0 as the maxcmds argument. If all ioctl commands are allowed (CAP_IOCTL capability right is assigned to the file descriptor and the cap_ioctls_limit() system call was never called for this file descriptor), the cap_ioctls_get() system call will return CAP_IOCTLS_ALL and will not modify the buffer pointed to by the cmds argument.

RETURN VALUES

The cap_ioctls_limit() function returns the value 0 if successful; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
The cap_ioctls_get() function, if successful, returns the total number of allowed ioctl commands or the value CAP_IOCTLS_ALL if all ioctls commands are allowed. On failure the value -1 is returned and the global variable errno is set to indicate the error.

ERRORS

cap_ioctls_limit() succeeds unless:
[EBADF]
The fd argument is not a valid descriptor.
[EFAULT]
The cmds argument points at an invalid address.
[EINVAL]
The ncmds argument is greater than 256.
[ENOTCAPABLE]
cmds would expand the list of allowed ioctl(2) commands.
cap_ioctls_get() succeeds unless:
[EBADF]
The fd argument is not a valid descriptor.
[EFAULT]
The cmds argument points at invalid address.

SEE ALSO

cap_fcntls_limit(2), cap_rights_limit(2), ioctl(2)

HISTORY

The cap_ioctls_get() and cap_ioctls_limit() system calls first appeared in FreeBSD 8.3. Support for capabilities and capabilities mode was developed as part of the TrustedBSD Project.

AUTHORS

This function was created by Pawel Jakub Dawidek <[email protected]> under sponsorship of the FreeBSD Foundation.

Recommended readings

Pages related to cap_ioctls_get you should read also:
cap_fcntls_limit(2) cap_rights_limit(2) ioctl(2)

Questions & Answers

Helpful answers and articles about cap_ioctls_get you may found on these sites:
Stack Overflow Server Fault Super User Unix & Linux Ask Ubuntu Network Engineering DevOps Raspberry Pi Webmasters Google Search