1*2810ac1bSKiyoung KimAllows a process to freely manipulate its inheritable 2*2810ac1bSKiyoung Kimcapabilities. 3*2810ac1bSKiyoung Kim 4*2810ac1bSKiyoung KimLinux supports the POSIX.1e Inheritable set, the POXIX.1e (X 5*2810ac1bSKiyoung Kimvector) known in Linux as the Bounding vector, as well as 6*2810ac1bSKiyoung Kimthe Linux extension Ambient vector. 7*2810ac1bSKiyoung Kim 8*2810ac1bSKiyoung KimThis capability permits dropping bits from the Bounding 9*2810ac1bSKiyoung Kimvector (ie. raising B bits in the libcap IAB 10*2810ac1bSKiyoung Kimrepresentation). It also permits the process to raise 11*2810ac1bSKiyoung KimAmbient vector bits that are both raised in the Permitted 12*2810ac1bSKiyoung Kimand Inheritable sets of the process. This capability cannot 13*2810ac1bSKiyoung Kimbe used to raise Permitted bits, Effective bits beyond those 14*2810ac1bSKiyoung Kimalready present in the process' permitted set, or 15*2810ac1bSKiyoung KimInheritable bits beyond those present in the Bounding 16*2810ac1bSKiyoung Kimvector. 17*2810ac1bSKiyoung Kim 18*2810ac1bSKiyoung Kim[Historical note: prior to the advent of file capabilities 19*2810ac1bSKiyoung Kim(2008), this capability was suppressed by default, as its 20*2810ac1bSKiyoung Kimunsuppressed behavior was not auditable: it could 21*2810ac1bSKiyoung Kimasynchronously grant its own Permitted capabilities to and 22*2810ac1bSKiyoung Kimremove capabilities from other processes arbitrarily. The 23*2810ac1bSKiyoung Kimformer leads to undefined behavior, and the latter is better 24*2810ac1bSKiyoung Kimserved by the kill system call.] 25