capng_apply(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | NOTES | SEE ALSO | AUTHOR | COLOPHON

CAPNG_APPLY(3)                Libcap-ng API               CAPNG_APPLY(3)

NAME         top

       capng_apply - apply the stored capabilities settings

SYNOPSIS         top

       #include <cap-ng.h>

       int capng_apply(capng_select_t set);

DESCRIPTION         top

       capng_apply will transfer the specified internal POSIX
       capabilities settings to the kernel. The options are
       CAPNG_SELECT_CAPS for the traditional capabilities,
       CAPNG_SELECT_BOUNDS for the bounding set, CAPNG_SELECT_BOTH if
       transferring both is desired, CAPNG_SELECT_AMBIENT if only
       operating on the ambient capabilities, or CAPNG_SELECT_ALL if
       applying all is desired.

RETURN VALUE         top

       This returns 0 on success and a negative value on failure. The
       values are:

              -1 not initialized

              -2 CAPNG_SELECT_BOUNDS and failure to drop a bounding set
              capability

              -3 CAPNG_SELECT_BOUNDS and failure to re-read bounding set

              -4 CAPNG_SELECT_BOUNDS and process does not have
              CAP_SETPCAP

              -5 CAPNG_SELECT_CAPS and failure in capset syscall

              -6 CAPNG_SELECT_AMBIENT and process has no capabilities
              and failed clearing ambient capabilities

              -7 CAPNG_SELECT_AMBIENT and process has capabilities and
              failed clearing ambient capabilities

              -8 CAPNG_SELECT_AMBIENT and process has capabilities and
              failed setting an ambient capability

              -9 Unable to acquire process capabilities to check if
              CAP_SETPCAP is set.

NOTES         top

       If you are doing multi-threaded programming, calling this
       function will only set capabilities on the calling thread. All
       other threads are unaffected. If you want to set overall
       capabilities for a multi-threaded process, you will need to do
       that before creating any threads. See the capset syscall for more
       information on this topic.

       Also, bits in the bounding set can only be dropped. You cannot
       set them. After dropping bounding set capabilities, the bounding
       set is synchronized with the kernel to reflect the true state in
       the kernel.

SEE ALSO         top

       capset(2), capng_update(3), capabilities(7)

AUTHOR         top

       Steve Grubb

COLOPHON         top

       This page is part of the libcap-ng (capabilities commands and
       library (NG)) project.  Information about the project can be
       found at ⟨https://people.redhat.com/sgrubb/libcap-ng/⟩.  It is
       not known how to report bugs for this man page; if you know,
       please send a mail to man-pages@man7.org.  This page was obtained
       from the tarball libcap-ng-0.8.4.tar.gz fetched from
       ⟨https://people.redhat.com/sgrubb/libcap-ng/index.html⟩ on
       2023-12-22.  If you discover any rendering problems in this HTML
       version of the page, or you believe there is a better or more up-
       to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not
       part of the original manual page), send a mail to
       man-pages@man7.org

Red Hat                         Sept 2023                 CAPNG_APPLY(3)

Pages that refer to this page: capng_change_id(3)capng_fill(3)capng_lock(3)