This is a fairly limited capability mechanism that can be used to prevent writes or resizing of a file.File sealing applies protections against certain actions (currently: write, Sealing is currently implemented as removing caprights to the file where possible -- partial sealing of ftruncate(2) is possiblegrowth, and this implementation attempted to fill that gap by removing the FTRUNCATE capability entirely if both GROW and SHRINK are specified,shrink) at the inode level. and handling them individually in ftruncate(2) if not.
This implementation differs from Linux in that ENOTCAPABLE is returned instead of EPERM if sealing prevents an action to be internally consistentNew fileops are added to accommodate seals - EINVAL is returned by fcntl(2) if they are not implemented.