The io-pkt manager uses general and custom process manager abilities to protect the privileged operations required by networking components.
For an overview of process manager abilities, see Process privileges in the Processes chapter of the QNX Neutrino Programmer's Guide, and the entries for procmgr_ability() and iofunc_ability_check() in the C Library Reference.
The general abilities govern which process operations io-pkt can do. Once io-pkt is up and running, you can use the qnx.kern.droproot sysctl command to tell it to stop running as root and run instead as the user that you specified with the -U option. At this point, io-pkt keeps the abilities that it needs and relinquishes the rest, but you can specify some additional abilities to retain if your networking driver needs them. On the command line, you can issue the sysctl command like this:
sysctl -w qnx.kern.droproot=value
The value is a hexadecimal number whose bits indicate which abilities io-pkt should keep, or 0 if you want io-pkt to continue to run as root. The QNX_DROPROOT_* flags are defined in <sys/iopkt_ability.h>:
Constant | Value | Keep this ability |
---|---|---|
QNX_DROPROOT_STD | 0x0001 | Drop root without keeping any additional abilities (keep the standard ones listed below) |
QNX_DROPROOT_INTERRUPT | 0x0002 | PROCMGR_AID_INTERRUPT |
QNX_DROPROOT_CONNECTION | 0x0004 | PROCMGR_AID_CONNECTION |
QNX_DROPROOT_TIMER | 0x0008 | PROCMGR_AID_TIMER |
QNX_DROPROOT_PROT_EXEC | 0x0010 | PROCMGR_AID_PROT_EXEC |
QNX_DROPROOT_PATHSPACE | 0x0020 | Not used; io-pkt keeps PROCMGR_AID_PATHSPACE by default |
QNX_DROPROOT_QNET | 0x0040 | PROCMGR_AID_QNET |
QNX_DROPROOT_PUBLIC_CHANNEL | 0x0080 | PROCMGR_AID_PUBLIC_CHANNEL |
By default, io-pkt retains the following abilities:
In addition to using the general abilities, io-pkt sets up and uses some custom abilities to govern specific networking operations:
on -u guest -Aallow,nonroot,able="network/interface/setpriv",inherit sh
The shell that you invoke the command from must already have the ability.
The names of the abilities are defined in <sys/iopkt_ability.h>:
Constant | Value | Description |
---|---|---|
_IOPKT_ABILITY_NW_BIND_PRIVPORT | network/bind/privport | Controls the ability to bind a privileged port; required by rresvport() |
_IOPKT_ABILITY_NW_INTERFACE_GETPRIV | network/interface/getpriv | Checks if retrieving privileged information from the device via ioctl() is permitted |
_IOPKT_ABILITY_NW_INTERFACE_SETPRIV | network/interface/setpriv | Checks if setting privileged parameters on the device via ioctl() is permitted |
_IOPKT_ABILITY_NW_ROUTE_SET | network/route/set | Mediates if routing related operations are permitted |
_IOPKT_ABILITY_NW_SOCKET_RAWSOCK | network/socket/rawsock | Controls who can allocate and use raw sockets; required by utilities such as ping and ping6 |