You can remove privileges from the permitted set, but once a privilege is removed it cannot be added back. Only privileges in the permitted set can be in the inheritable set so do not remove a permitted privilege that needs to be in the inheritable set. This example removes the file_mac_write privilege from the permitted set. The 1 indicates the parameter list has one privilege constant.
if(set_permitted_priv(PRIV_OFF, 1, PRIV_FILE_MAC_WRITE) == -1) perror ("Cannot remove file_mac_write from permitted set");
Before this call the permitted set contains these privileges:
executable Permitted = file_mac_write,file_setpriv,proc_setid |
After this call the permitted set contains these privileges:
executable Permitted = file_setpriv,proc_setid |