NAME
caph_limit_stream,
caph_limit_stdin,
caph_limit_stderr,
caph_limit_stdout,
caph_limit_stdio,
caph_stream_rights,
caph_cache_tzdata,
caph_cache_catpages,
caph_enter,
caph_enter_casper,
caph_rights_limit,
caph_ioctls_limit,
caph_fcntls_limit —
set of the capsicum helpers, part of
the libcapsicum
LIBRARY
library “libcapsicum”
SYNOPSIS
#include
<capsicum_helpers.h>
int
caph_enter(void);
int
caph_enter_casper(void);
int
caph_rights_limit(int
fd, const cap_rights_t
*rights);
int
caph_ioctls_limit(int
fd, const unsigned long
*cmds, size_t
ncmds);
int
caph_fcntls_limit(int
fd, uint32_t
fcntlrights);
int
caph_limit_stream(int
fd, int flags);
int
caph_limit_stdin(void);
int
caph_limit_stderr(void);
int
caph_limit_stdout(void);
int
caph_limit_stdio(void);
void
caph_stream_rights(cap_rights_t
*, int flags);
void
caph_cache_tzdata(void);
void
caph_cache_catpages(void);
DESCRIPTION
Thecaph_enter,
caph_rights_limit,
caph_ioctls_limit and
caph_fcntls_limit are respectively equivalent to
cap_enter(2),
cap_rights_limit(2),
cap_ioctls_limit(2) and
cap_fcntls_limit(2), it returns success when the kernel is
built without support of the capability mode.
The caph_enter_casper is equivalent to the
caph_enter it returns success when the system is
built without Casper support.
The capsicum helpers are a set of a inline
functions which simplify modifying programs to use Capsicum. The goal is to
reduce duplicated code patterns. The capsicum
helpers are part of libcapsicum but there is
no need to link to the library.
caph_limit_stream()
restricts capabilities on fd to only those needed by
POSIX stream objects (that is, FILEs).
These flags can be provided:
CAPH_IGNORE_EBADF- Do not return an error if file descriptor is invalid.
CAPH_READ- Set CAP_READ on limited descriptor.
CAPH_WRITE- Set CAP_WRITE on limited descriptor.
caph_limit_stdin(),
caph_limit_stderr()
and
caph_limit_stdout()
limit standard descriptors using the
caph_limit_stream function.
caph_limit_stdio()
limits stdin, stderr and stdout.
caph_stream_rights
may be used to initialize rights with the same rights
that a stream would be limited to, as if
caph_limit_stream()
had been invoked using the same flags.
caph_cache_tzdata()
precaches all timezone data needed to use libc local
time functions.
caph_cache_catpages()
caches Native Language Support (NLS) data. NLS data is used for localized
error printing by
strerror(3) and
err(3), among others.