Clear and Set the Inheritable Set

To set the privileges that will be active after a new program is started using exec(2), first clear the inheritable set of the process, then initialize it with the privileges that you want the program to inherit.

This example clears the inheritable privilege set. The PRIV_SET parameter clears the inheritable privilege set, and the zero (0) parameter indicates there is no parameter list of privilege IDs.

if (set_inheritable_priv(PRIV_SET, 0) == -1)
	perror("Cannot clear inheritable privileges");

Before this call the inheritable set contains these privileges:

Inheritable = file_mac_write,file_setpriv,proc_setid

After this call the inheritable set contains this privilege:

Inheritable = none

The following example sets the proc_setid privilege in the inheritable privilege set. Any privilege in the permitted set can be placed in the inheritable set and placing any other privilege in the inheritable set results in an Invalid Argument error. Because the proc_setid privilege is in the permitted set for executable, it can be placed in the inheritable set. Because it is also in the allowed set for execfile, it can be used by the new program when execfile is exec'd in "Execute a File".

if (set_inheritable_priv(PRIV_ON, 1, PRIV_PROC_SETID) == -1)
	perror("Cannot set proc_setid privilege in inheritable set");

After this call the inheritable set contains this privilege:

Inheritable = proc_setid