If a file descriptor is granted the
CAP_IOCTL
capability right, the list of allowed
ioctl(2)
commands can be selectively reduced (but never expanded) with the
cap_ioctls_limit()
system call.
The
cmds
argument is an array of
ioctl(2)
commands and the
ncmds
argument specifies the number of elements in the array.
There can be up to
256
elements in the array.
Including an element that has been previously revoked will generate an error.
After a successful call only those listed in the array may be used.
The list of allowed ioctl commands for a given file descriptor can be obtained
with the
cap_ioctls_get()
system call.
The
cmds
argument points at memory that can hold up to
maxcmds
values.
The function populates the provided buffer with up to
maxcmds
elements, but always returns the total number of ioctl commands allowed for the
given file descriptor.
The total number of ioctls commands for the given file descriptor can be
obtained by passing
NULL as the
cmds
argument and
0
as the
maxcmds
argument.
If all ioctl commands are allowed
( CAP_IOCTL
capability right is assigned to the file descriptor and the
cap_ioctls_limit()
system call was never called for this file descriptor), the
cap_ioctls_get()
system call will return
CAP_IOCTLS_ALL
and will not modify the buffer pointed to by the
cmds
argument.