#compdef setpriv

__setpriv_prctl_securebits_set_element() {
  local -a expl matches
  local -a bits

  bits=(noroot noroot_locked
        no_setuid_fixup no_setuid_fixup_locked
        keep_caps_locked
  )
  matches=( {-,+}"${(@)^bits}" )
  _wanted minus-plus-securebits expl 'prctl securebits' \
    compadd "$@" -a - matches
}

__setpriv_prctl_securebits_set() {
  _sequence __setpriv_prctl_securebits_set_element
}

__setpriv_capability_expressions() {
  # Nonlocal expl; _description call expected.
  local -a caps matches

  _capability_names caps
  # Strip the prefix "cap_" from every array element.
  # For every element, prepend "-" and "+" to the element.
  matches=( {-,+}"${(@)^caps#cap_}" )
  compadd "$@" "${(@)expl}" -a - matches
}

__setpriv_caps_all() {
  # Nonlocal expl; _description call expected.
  local -a names matches

  names=(all)
  matches=( {-,+}"${(@)^names}" )
  compadd "$@" "${(@)expl}" -a - matches
}

__setpriv_cap_set_element() {
  # We pass through arguments from _sequence.
  local -a Oargv=( "$@" )
  _alternative -O Oargv \
    'special-actions:drop/obtain all caps:__setpriv_caps_all' \
    'minus-plus-caps:capabilities:__setpriv_capability_expressions' \
    #
}

__setpriv_cap_set() {
  _sequence __setpriv_cap_set_element
}

__setpriv_death_signals() {
  _alternative \
    'special-actions:keep or clear:(keep clear)' \
    'signals:UNIX signals:_signals' \
    #
}

local context state state_descr line
typeset -A opt_args

_arguments -S \
  '(- : *)--help[print help and exit]' \
  '(- : *)'{-V,--version}'[print version information and exit]' \
  '(- : *)*'{-d,--dump}'[display the current privilege state]' \
  '--clear-groups[clear supplementary groups]' \
  '--groups[set supplementary groups]:groups:_groups' \
  '--inh-caps[set inheritable caps]:capability set: __setpriv_cap_set' \
  '--ambient-caps[set ambient caps]:capability set: __setpriv_cap_set' \
  '--bounding-set[set the cap bounding set]:capability set: __setpriv_cap_set' \
  '(- : *)--list-caps[list all known capabilities]' \
  '--keep-groups[preserve supplementary groups]' \
  '--init-groups[initialize supplementary groups]' \
  '--no-new-privs[set NO_NEW_PRIVS]' \
  '--rgid[set real UNIX group id]:UNIX group:_groups' \
  '--egid[set effective UNIX group id]:UNIX group:_groups' \
  '--regid[set real and effective UNIX group id]:UNIX group:_groups' \
  '--ruid[set real UNIX user id]:UNIX user:_users' \
  '--euid[set effective UNIX user id]:UNIX user:_users' \
  '--reuid[set real and effective UNIX user id]:UNIX user:_users' \
  '--securebits[set "process securebits"]:prctl securebits:__setpriv_prctl_securebits_set' \
  '--pdeathsig[keep, clear, or set parent death signal]:signals: __setpriv_death_signals' \
  '--selinux-label[request a selinux label]:SELinux labels: ' \
  '--apparmor-profile[request an apparmor profile]:AppArmor profiles: ' \
  '--reset-env[set environment as for a classic login shell]' \
  '*:::command:_normal' \
  #