1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
.TH "CAPNG_LOCK" "3" "Mar 2026" "Red Hat" "Libcap-ng API"
.SH NAME
capng_lock \- lock the current process capabilities settings
.SH "SYNOPSIS"
.B #include <cap-ng.h>
.sp
int capng_lock(void);
.SH "DESCRIPTION"
capng_lock will take steps to prevent children of the current process
to regain full privileges if the uid is 0. This should be called while
possessing the CAP_SETPCAP capability in the kernel. This function will
do the following if permitted by the kernel:
.IP \[bu] 2
Set the NOROOT option on for PR_SET_SECUREBITS.
.IP \[bu] 2
Set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS.
.IP \[bu] 2
Set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS.
.IP \[bu] 2
Set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
.PP
It does not enable PR_SET_KEEPCAPS or the KEEP_CAPS/KEEP_CAPS_LOCKED
securebits; after a successful call those usually remain off unless the
caller changed them separately.
.SH "RETURN VALUE"
This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. -2 means failure setting PR_SET_NO_NEW_PRIVS. These are additive meaning -3 is a failure of both.
.SH "SEE ALSO"
.BR capng_apply (3),
.BR prctl (2),
.BR capabilities (7)
.SH AUTHOR
Steve Grubb
|
