proc_dointvec_bset is a specially restricted version of proc_dointvec for setting of kernel capabilities ( cap_bset). It is a good example of how to use a sysctl interface to set up access to security critical data structures in a simple but still safe way (see linux/kernel/sysctl.c for details). To protect this data structure not only the tight limits imposed by proc_dointvec are used, but also kernel capabilities:
int proc_dointvec_bset(
ctl_table *table,
int write,
struct file *filp,
void *buffer,
size_t *lenp)
{
if (!capable(CAP_SYS_MODULE)) {
return -EPERM;
}
return do_proc_dointvec(
table,write,filp,buffer,lenp,1,
(current->pid == 1) ? OP_SET : OP_AND);
}
The assignment of the callback function is as expected (from linux/kernel/sysctl.c:
extern kernel_cap_t cap_bset;
ctl_table kernel_table[] = {
...
{KERN_CAP_BSET, "cap-bound", &cap_bset,
sizeof(kernel_cap_t), 0600, NULL,
&proc_dointvec_bset},
...
{0}};
It is no recommended to use proc_dointvec_bset for other variables. This should be seen as a sample implementation to build specific proc callback functions for security critical variables.