capabilities.conf revision 224812
1219131Srwatson## 2219131Srwatson## Copyright (c) 2008-2010 Robert N. M. Watson 3219131Srwatson## All rights reserved. 4219131Srwatson## 5219131Srwatson## This software was developed at the University of Cambridge Computer 6219131Srwatson## Laboratory with support from a grant from Google, Inc. 7219131Srwatson## 8219131Srwatson## Redistribution and use in source and binary forms, with or without 9219131Srwatson## modification, are permitted provided that the following conditions 10219131Srwatson## are met: 11219131Srwatson## 1. Redistributions of source code must retain the above copyright 12219131Srwatson## notice, this list of conditions and the following disclaimer. 13219131Srwatson## 2. Redistributions in binary form must reproduce the above copyright 14219131Srwatson## notice, this list of conditions and the following disclaimer in the 15219131Srwatson## documentation and/or other materials provided with the distribution. 16219131Srwatson## 17219131Srwatson## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18219131Srwatson## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19219131Srwatson## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20219131Srwatson## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21219131Srwatson## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22219131Srwatson## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23219131Srwatson## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24219131Srwatson## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25219131Srwatson## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26219131Srwatson## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27219131Srwatson## SUCH DAMAGE. 28219131Srwatson## 29219131Srwatson## List of system calls enabled in capability mode, one name per line. 30219131Srwatson## 31219131Srwatson## Notes: 32219131Srwatson## - sys_exit(2), abort2(2) and close(2) are very important. 33219131Srwatson## - Sorted alphabetically, please keep it that way. 34219131Srwatson## 35219131Srwatson## $FreeBSD: head/sys/kern/capabilities.conf 224812 2011-08-13 10:43:21Z jonathan $ 36219131Srwatson## 37219131Srwatson 38219131Srwatson## 39219131Srwatson## Allow ACL and MAC label operations by file descriptor, subject to 40219131Srwatson## capability rights. Allow MAC label operations on the current process but 41219131Srwatson## we will need to scope __mac_get_pid(2). 42219131Srwatson## 43219131Srwatson__acl_aclcheck_fd 44219131Srwatson__acl_delete_fd 45219131Srwatson__acl_get_fd 46219131Srwatson__acl_set_fd 47219131Srwatson__mac_get_fd 48219131Srwatson#__mac_get_pid 49219131Srwatson__mac_get_proc 50219131Srwatson__mac_set_fd 51219131Srwatson__mac_set_proc 52219131Srwatson 53219131Srwatson## 54219131Srwatson## Allow sysctl(2) as we scope internal to the call; this is a global 55219131Srwatson## namespace, but there are several critical sysctls required for almost 56219131Srwatson## anything to run, such as hw.pagesize. For now that policy lives in the 57219131Srwatson## kernel for performance and simplicity, but perhaps it could move to a 58219131Srwatson## proxying daemon in userspace. 59219131Srwatson## 60219131Srwatson__sysctl 61219131Srwatson 62219131Srwatson## 63219131Srwatson## Allow umtx operations as these are scoped by address space. 64219131Srwatson## 65219131Srwatson## XXRW: Need to check this very carefully. 66219131Srwatson## 67219131Srwatson_umtx_lock 68219131Srwatson_umtx_op 69219131Srwatson_umtx_unlock 70219131Srwatson 71219131Srwatson## 72219131Srwatson## Allow process termination using abort2(2). 73219131Srwatson## 74219131Srwatsonabort2 75219131Srwatson 76219131Srwatson## 77219131Srwatson## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78219131Srwatson## relies on existing bindings on a socket, subject to capability rights. 79219131Srwatson## 80219131Srwatsonaccept 81219131Srwatson 82219131Srwatson## 83219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 84219131Srwatson## 85219131Srwatsonaio_cancel 86219131Srwatsonaio_error 87219131Srwatsonaio_fsync 88219131Srwatsonaio_read 89219131Srwatsonaio_return 90219131Srwatsonaio_suspend 91219131Srwatsonaio_waitcomplete 92219131Srwatsonaio_write 93219131Srwatson 94219131Srwatson## 95219131Srwatson## audit(2) is a global operation, submitting to the global trail, but it is 96219131Srwatson## controlled by privilege, and it might be useful to be able to submit 97219131Srwatson## records from sandboxes. For now, disallow, but we may want to think about 98219131Srwatson## providing some sort of proxy service for this. 99219131Srwatson## 100219131Srwatson#audit 101219131Srwatson 102219131Srwatson## 103219131Srwatson## Disllow bind(2) for now, even though we support CAP_BIND. 104219131Srwatson## 105219131Srwatson## XXXRW: Revisit this. 106219131Srwatson## 107219131Srwatson#bind 108219131Srwatson 109219131Srwatson## 110219131Srwatson## Allow capability mode and capability system calls. 111219131Srwatson## 112219131Srwatsoncap_enter 113219131Srwatsoncap_getmode 114219131Srwatsoncap_getrights 115219131Srwatsoncap_new 116219131Srwatson 117219131Srwatson## 118219131Srwatson## Allow read-only clock operations. 119219131Srwatson## 120219131Srwatsonclock_gettime 121219131Srwatsonclock_getres 122219131Srwatson 123219131Srwatson## 124219131Srwatson## Always allow file descriptor close(2). 125219131Srwatson## 126219131Srwatsonclose 127219131Srwatsonclosefrom 128219131Srwatson 129219131Srwatson## 130219131Srwatson## Disallow connect(2) for now, despite CAP_CONNECT. 131219131Srwatson## 132219131Srwatson## XXXRW: Revisit this. 133219131Srwatson## 134219131Srwatson#connect 135219131Srwatson 136219131Srwatson## 137219131Srwatson## cpuset(2) and related calls require scoping by process, but should 138219131Srwatson## eventually be allowed, at least in the current process case. 139219131Srwatson## 140219131Srwatson#cpuset 141219131Srwatson#cpuset_getaffinity 142219131Srwatson#cpuset_getid 143219131Srwatson#cpuset_setaffinity 144219131Srwatson#cpuset_setid 145219131Srwatson 146219131Srwatson## 147219131Srwatson## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 148219131Srwatson## 149219131Srwatsondup 150219131Srwatsondup2 151219131Srwatson 152219131Srwatson## 153219131Srwatson## Allow extended attribute operations by file descriptor, subject to 154219131Srwatson## capability rights. 155219131Srwatson## 156219131Srwatsonextattr_delete_fd 157219131Srwatsonextattr_get_fd 158219131Srwatsonextattr_list_fd 159219131Srwatsonextattr_set_fd 160219131Srwatson 161219131Srwatson## 162219131Srwatson## Allow changing file flags, mode, and owner by file descriptor, subject to 163219131Srwatson## capability rights. 164219131Srwatson## 165219131Srwatsonfchflags 166219131Srwatsonfchmod 167219131Srwatsonfchown 168219131Srwatson 169219131Srwatson## 170219131Srwatson## For now, allow fcntl(2), subject to capability rights, but this probably 171219131Srwatson## needs additional scoping. 172219131Srwatson## 173219131Srwatsonfcntl 174219131Srwatson 175219131Srwatson## 176219131Srwatson## Allow fexecve(2), subject to capability rights. We perform some scoping, 177219131Srwatson## such as disallowing privilege escalation. 178219131Srwatson## 179219131Srwatsonfexecve 180219131Srwatson 181219131Srwatson## 182219131Srwatson## Allow flock(2), subject to capability rights. 183219131Srwatson## 184219131Srwatsonflock 185219131Srwatson 186219131Srwatson## 187219131Srwatson## Allow fork(2), even though it returns pids -- some applications seem to 188219131Srwatson## prefer this interface. 189219131Srwatson## 190219131Srwatsonfork 191219131Srwatson 192219131Srwatson## 193219131Srwatson## Allow fpathconf(2), subject to capability rights. 194219131Srwatson## 195219131Srwatsonfpathconf 196219131Srwatson 197219131Srwatson## 198219131Srwatson## Allow various file descriptor-based I/O operations, subject to capability 199219131Srwatson## rights. mmap(2) requires further attention. 200219131Srwatson## 201219131Srwatsonfreebsd6_ftruncate 202219131Srwatsonfreebsd6_lseek 203219131Srwatsonfreebsd6_mmap 204219131Srwatsonfreebsd6_pread 205219131Srwatsonfreebsd6_pwrite 206219131Srwatson 207219131Srwatson## 208219131Srwatson## Allow querying file and file system state with fstat(2) and fstatfs(2), 209219131Srwatson## subject to capability rights. 210219131Srwatson## 211219131Srwatsonfstat 212219131Srwatsonfstatfs 213219131Srwatson 214219131Srwatson## 215219131Srwatson## Allow further file descriptor-based I/O operations, subject to capability 216219131Srwatson## rights. 217219131Srwatson## 218219131Srwatsonfsync 219219131Srwatsonftruncate 220219131Srwatson 221219131Srwatson## 222219131Srwatson## Allow futimes(2), subject to capability rights. 223219131Srwatson## 224219131Srwatsonfutimes 225219131Srwatson 226219131Srwatson## 227219131Srwatson## Allow querying process audit state, subject to normal access control. 228219131Srwatson## 229219131Srwatsongetaudit 230219131Srwatsongetaudit_addr 231219131Srwatsongetauid 232219131Srwatson 233219131Srwatson## 234219131Srwatson## Allow thread context management with getcontext(2). 235219131Srwatson## 236219131Srwatsongetcontext 237219131Srwatson 238219131Srwatson## 239219131Srwatson## Allow directory I/O on a file descriptor, subject to capability rights. 240219131Srwatson## Originally we had separate capabilities for directory-specific read 241219131Srwatson## operations, but on BSD we allow reading the raw directory data, so we just 242224812Sjonathan## rely on CAP_READ and CAP_SEEK now. 243219131Srwatson## 244219131Srwatsongetdents 245219131Srwatsongetdirentries 246219131Srwatson 247219131Srwatson## 248219131Srwatson## Allow querying certain trivial global state. 249219131Srwatson## 250219131Srwatsongetdomainname 251219131Srwatson 252219131Srwatson## 253219131Srwatson## Allow querying current process credential state. 254219131Srwatson## 255219131Srwatsongetegid 256219131Srwatsongeteuid 257219131Srwatson 258219131Srwatson## 259219131Srwatson## Allow querying certain trivial global state. 260219131Srwatson## 261219131Srwatsongethostid 262219131Srwatsongethostname 263219131Srwatson 264219131Srwatson## 265219131Srwatson## Allow querying per-process timer. 266219131Srwatson## 267219131Srwatsongetitimer 268219131Srwatson 269219131Srwatson## 270219131Srwatson## Allow querying current process credential state. 271219131Srwatson## 272219131Srwatsongetgid 273219131Srwatsongetgroups 274219131Srwatsongetlogin 275219131Srwatson 276219131Srwatson## 277219131Srwatson## Allow querying certain trivial global state. 278219131Srwatson## 279219131Srwatsongetpagesize 280219131Srwatsongetpeername 281219131Srwatson 282219131Srwatson## 283219131Srwatson## Allow querying certain per-process scheduling, resource limit, and 284219131Srwatson## credential state. 285219131Srwatson## 286219131Srwatson## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 287219131Srwatson## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 288219131Srwatson## getsid(2) needs scoping. 289219131Srwatson## 290219131Srwatsongetpgid 291219131Srwatsongetpgrp 292219131Srwatsongetpid 293219131Srwatsongetppid 294219131Srwatsongetpriority 295219131Srwatsongetresgid 296219131Srwatsongetresuid 297219131Srwatsongetrlimit 298219131Srwatsongetrusage 299219131Srwatsongetsid 300219131Srwatson 301219131Srwatson## 302219131Srwatson## Allow querying socket state, subject to capability rights. 303219131Srwatson## 304219131Srwatson## XXXRW: getsockopt(2) may need more attention. 305219131Srwatson## 306219131Srwatsongetsockname 307219131Srwatsongetsockopt 308219131Srwatson 309219131Srwatson## 310219131Srwatson## Allow querying the global clock. 311219131Srwatson## 312219131Srwatsongettimeofday 313219131Srwatson 314219131Srwatson## 315219131Srwatson## Allow querying current process credential state. 316219131Srwatson## 317219131Srwatsongetuid 318219131Srwatson 319219131Srwatson## 320219131Srwatson## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global 321219131Srwatson## scope, but this is a tricky one as it is also required for tty control. 322219131Srwatson## We do have a capability right for this operation. 323219131Srwatson## 324219131Srwatson## XXXRW: This needs to be revisited. 325219131Srwatson## 326219131Srwatson#ioctl 327219131Srwatson 328219131Srwatson## 329219131Srwatson## Allow querying current process credential state. 330219131Srwatson## 331219131Srwatsonissetugid 332219131Srwatson 333219131Srwatson## 334219131Srwatson## Allow kevent(2), as we will authorize based on capability rights on the 335219131Srwatson## target descriptor. 336219131Srwatson## 337219131Srwatson## XXXRW: Do we do this? 338219131Srwatson## 339219131Srwatsonkevent 340219131Srwatson 341219131Srwatson## 342219131Srwatson## Allow message queue operations on file descriptors, subject to capability 343219131Srwatson## rights. 344219131Srwatson## 345219131Srwatsonkmq_notify 346219131Srwatsonkmq_setattr 347219131Srwatsonkmq_timedreceive 348219131Srwatsonkmq_timedsend 349219131Srwatson 350219131Srwatson## 351219131Srwatson## Allow kqueue(2), we will control use. 352219131Srwatson## 353219131Srwatsonkqueue 354219131Srwatson 355219131Srwatson## 356219131Srwatson## Allow managing per-process timers. 357219131Srwatson## 358219131Srwatsonktimer_create 359219131Srwatsonktimer_delete 360219131Srwatsonktimer_getoverrun 361219131Srwatsonktimer_gettime 362219131Srwatsonktimer_settime 363219131Srwatson 364219131Srwatson## 365219131Srwatson## We can't allow ktrace(2) because it relies on a global namespace, but we 366219131Srwatson## might want to introduce an fktrace(2) of some sort. 367219131Srwatson## 368219131Srwatson#ktrace 369219131Srwatson 370219131Srwatson## 371219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 372219131Srwatson## 373219131Srwatsonlio_listio 374219131Srwatson 375219131Srwatson## 376219131Srwatson## Allow listen(2), subject to capability rights. 377219131Srwatson## 378219131Srwatson## XXXRW: One might argue this manipulates a global namespace. 379219131Srwatson## 380219131Srwatsonlisten 381219131Srwatson 382219131Srwatson## 383219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 384219131Srwatson## 385219131Srwatsonlseek 386219131Srwatson 387219131Srwatson## 388219131Srwatson## Allow MAC label operations by file descriptor, subject to capability 389219131Srwatson## rights. 390219131Srwatson## 391219131Srwatsonmac_get_fd 392219131Srwatsonmac_set_fd 393219131Srwatson 394219131Srwatson## 395219131Srwatson## Allow simple VM operations on the current process. 396219131Srwatson## 397219131Srwatsonmadvise 398219131Srwatsonmincore 399219131Srwatsonminherit 400219131Srwatsonmlock 401219131Srwatsonmlockall 402219131Srwatson 403219131Srwatson## 404219131Srwatson## Allow memory mapping a file descriptor, and updating protections, subject 405219131Srwatson## to capability rights. 406219131Srwatson## 407219131Srwatson## XXXRW: We currently don't properly mask VM protections using capability 408219131Srwatson## rights. 409219131Srwatson## 410219131Srwatsonmmap 411219131Srwatsonmprotect 412219131Srwatson 413219131Srwatson## 414219131Srwatson## Allow simple VM operations on the current process. 415219131Srwatson## 416219131Srwatsonmsync 417219131Srwatsonmunlock 418219131Srwatsonmunlockall 419219131Srwatsonmunmap 420219131Srwatson 421219131Srwatson## 422219131Srwatson## Allow the current process to sleep. 423219131Srwatson## 424219131Srwatsonnanosleep 425219131Srwatson 426219131Srwatson## 427219131Srwatson## Allow querying the global clock. 428219131Srwatson## 429219131Srwatsonntp_gettime 430219131Srwatson 431219131Srwatson## 432219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 433219131Srwatson## 434219131Srwatsonoaio_read 435219131Srwatsonoaio_write 436219131Srwatson 437219131Srwatson## 438219131Srwatson## Allow simple VM operations on the current process. 439219131Srwatson## 440219131Srwatsonobreak 441219131Srwatson 442219131Srwatson## 443219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 444219131Srwatson## 445219131Srwatsonolio_listio 446219131Srwatson 447219131Srwatson## 448224812Sjonathan## Operations relative to directory capabilities. 449219131Srwatson## 450224812Sjonathanfaccessat 451224812Sjonathanfstatat 452224812Sjonathanfchmodat 453224812Sjonathanfutimesat 454224812Sjonathanmkdirat 455224812Sjonathanrmdirat 456224812Sjonathanmkfifoat 457224812Sjonathanmknodat 458224812Sjonathanopenat 459224812Sjonathanrenameat 460219131Srwatson 461219131Srwatson## 462224812Sjonathan## Allow entry into open(2). This system call will fail, since access to the 463224812Sjonathan## global file namespace has been disallowed, but allowing entry into the 464224812Sjonathan## syscall means that an audit trail will be generated (which is also very 465224812Sjonathan## useful for debugging). 466219131Srwatson## 467224812Sjonathanopen 468219131Srwatson 469219131Srwatson## 470219131Srwatson## Allow poll(2), which will be scoped by capability rights. 471219131Srwatson## 472219131Srwatson## XXXRW: Perhaps we don't need the OpenBSD version? 473219131Srwatson## XXXRW: We don't yet do that scoping. 474219131Srwatson## 475219131Srwatsonopenbsd_poll 476219131Srwatson 477219131Srwatson## 478219131Srwatson## Process descriptor-related system calls are allowed. 479219131Srwatson## 480219131Srwatsonpdfork 481219131Srwatsonpdgetpid 482219131Srwatsonpdkill 483219131Srwatsonpdwait4 484219131Srwatson 485219131Srwatson## 486219131Srwatson## Allow pipe(2). 487219131Srwatson## 488219131Srwatsonpipe 489219131Srwatson 490219131Srwatson## 491219131Srwatson## Allow poll(2), which will be scoped by capability rights. 492219131Srwatson## XXXRW: We don't yet do that scoping. 493219131Srwatson## 494219131Srwatsonpoll 495219131Srwatson 496219131Srwatson## 497219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 498219131Srwatson## 499219131Srwatsonpread 500219131Srwatsonpreadv 501219131Srwatson 502219131Srwatson## 503219131Srwatson## Allow access to profiling state on the current process. 504219131Srwatson## 505219131Srwatsonprofil 506219131Srwatson 507219131Srwatson## 508219131Srwatson## Disallow ptrace(2) for now, but we do need debugging facilities in 509219131Srwatson## capability mode, so we will want to revisit this, possibly by scoping its 510219131Srwatson## operation. 511219131Srwatson## 512219131Srwatson#ptrace 513219131Srwatson 514219131Srwatson## 515219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 516219131Srwatson## 517219131Srwatsonpwrite 518219131Srwatsonpwritev 519219131Srwatsonread 520219131Srwatsonreadv 521219131Srwatsonrecv 522219131Srwatsonrecvfrom 523219131Srwatsonrecvmsg 524219131Srwatson 525219131Srwatson## 526219131Srwatson## Allow real-time scheduling primitives to be used. 527219131Srwatson## 528219131Srwatson## XXXRW: These require scoping. 529219131Srwatson## 530219131Srwatsonrtprio 531219131Srwatsonrtprio_thread 532219131Srwatson 533219131Srwatson## 534219131Srwatson## Allow simple VM operations on the current process. 535219131Srwatson## 536219131Srwatsonsbrk 537219131Srwatson 538219131Srwatson## 539219131Srwatson## Allow querying trivial global scheduler state. 540219131Srwatson## 541219131Srwatsonsched_get_priority_max 542219131Srwatsonsched_get_priority_min 543219131Srwatson 544219131Srwatson## 545219131Srwatson## Allow various thread/process scheduler operations. 546219131Srwatson## 547219131Srwatson## XXXRW: Some of these require further scoping. 548219131Srwatson## 549219131Srwatsonsched_getparam 550219131Srwatsonsched_getscheduler 551219131Srwatsonsched_rr_getinterval 552219131Srwatsonsched_setparam 553219131Srwatsonsched_setscheduler 554219131Srwatsonsched_yield 555219131Srwatson 556219131Srwatson## 557219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 558219131Srwatson## 559219131Srwatsonsctp_generic_recvmsg 560219131Srwatsonsctp_generic_sendmsg 561219131Srwatsonsctp_generic_sendmsg_iov 562219131Srwatsonsctp_peeloff 563219131Srwatson 564219131Srwatson## 565219131Srwatson## Allow select(2), which will be scoped by capability rights. 566219131Srwatson## 567219131Srwatson## XXXRW: But is it? 568219131Srwatson## 569219131Srwatsonselect 570219131Srwatson 571219131Srwatson## 572219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. Use of 573219131Srwatson## explicit addresses here is restricted by the system calls themselves. 574219131Srwatson## 575219131Srwatsonsend 576219131Srwatsonsendfile 577219131Srwatsonsendmsg 578219131Srwatsonsendto 579219131Srwatson 580219131Srwatson## 581219131Srwatson## Allow setting per-process audit state, which is controlled separately by 582219131Srwatson## privileges. 583219131Srwatson## 584219131Srwatsonsetaudit 585219131Srwatsonsetaudit_addr 586219131Srwatsonsetauid 587219131Srwatson 588219131Srwatson## 589219131Srwatson## Allow setting thread context. 590219131Srwatson## 591219131Srwatsonsetcontext 592219131Srwatson 593219131Srwatson## 594219131Srwatson## Allow setting current process credential state, which is controlled 595219131Srwatson## separately by privilege. 596219131Srwatson## 597219131Srwatsonsetegid 598219131Srwatsonseteuid 599219131Srwatsonsetgid 600219131Srwatson 601219131Srwatson## 602219131Srwatson## Allow use of the process interval timer. 603219131Srwatson## 604219131Srwatsonsetitimer 605219131Srwatson 606219131Srwatson## 607219131Srwatson## Allow setpriority(2). 608219131Srwatson## 609219131Srwatson## XXXRW: Requires scoping. 610219131Srwatson## 611219131Srwatsonsetpriority 612219131Srwatson 613219131Srwatson## 614219131Srwatson## Allow setting current process credential state, which is controlled 615219131Srwatson## separately by privilege. 616219131Srwatson## 617219131Srwatsonsetregid 618219131Srwatsonsetresgid 619219131Srwatsonsetresuid 620219131Srwatsonsetreuid 621219131Srwatson 622219131Srwatson## 623219131Srwatson## Allow setting process resource limits with setrlimit(2). 624219131Srwatson## 625219131Srwatsonsetrlimit 626219131Srwatson 627219131Srwatson## 628219131Srwatson## Allow creating a new session with setsid(2). 629219131Srwatson## 630219131Srwatsonsetsid 631219131Srwatson 632219131Srwatson## 633219131Srwatson## Allow setting socket options with setsockopt(2), subject to capability 634219131Srwatson## rights. 635219131Srwatson## 636219131Srwatson## XXXRW: Might require scoping. 637219131Srwatson## 638219131Srwatsonsetsockopt 639219131Srwatson 640219131Srwatson## 641219131Srwatson## Allow setting current process credential state, which is controlled 642219131Srwatson## separately by privilege. 643219131Srwatson## 644219131Srwatsonsetuid 645219131Srwatson 646219131Srwatson## 647224812Sjonathan## shm_open(2) is scoped so as to allow only access to new anonymous objects. 648219131Srwatson## 649224812Sjonathanshm_open 650219131Srwatson 651219131Srwatson## 652219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 653219131Srwatson## 654219131Srwatsonshutdown 655219131Srwatson 656219131Srwatson## 657219131Srwatson## Allow signal control on current process. 658219131Srwatson## 659219131Srwatsonsigaction 660219131Srwatsonsigaltstack 661219131Srwatsonsigblock 662219131Srwatsonsigpending 663219131Srwatsonsigprocmask 664219131Srwatsonsigqueue 665219131Srwatsonsigreturn 666219131Srwatsonsigsetmask 667219131Srwatsonsigstack 668219131Srwatsonsigsuspend 669219131Srwatsonsigtimedwait 670219131Srwatsonsigvec 671219131Srwatsonsigwaitinfo 672219131Srwatson 673219131Srwatson## 674219131Srwatson## Allow creating new socket pairs with socket(2) and socketpair(2). 675219131Srwatson## 676219131Srwatsonsocket 677219131Srwatsonsocketpair 678219131Srwatson 679219131Srwatson## 680219131Srwatson## Allow simple VM operations on the current process. 681219131Srwatson## 682219131Srwatson## XXXRW: Kernel doesn't implement this, so drop? 683219131Srwatson## 684219131Srwatsonsstk 685219131Srwatson 686219131Srwatson## 687219131Srwatson## Do allow sync(2) for now, but possibly shouldn't. 688219131Srwatson## 689219131Srwatsonsync 690219131Srwatson 691219131Srwatson## 692219131Srwatson## Always allow process termination with sys_exit(2). 693219131Srwatson## 694219131Srwatsonsys_exit 695219131Srwatson 696219131Srwatson## 697219131Srwatson## sysarch(2) does rather diverse things, but is required on at least i386 698219131Srwatson## in order to configure per-thread data. As such, it's scoped on each 699219131Srwatson## architecture. 700219131Srwatson## 701219131Srwatsonsysarch 702219131Srwatson 703219131Srwatson## 704219131Srwatson## Allow thread operations operating only on current process. 705219131Srwatson## 706219131Srwatsonthr_create 707219131Srwatsonthr_exit 708219131Srwatsonthr_kill 709219131Srwatson 710219131Srwatson## 711219131Srwatson## Disallow thr_kill2(2), as it may operate beyond the current process. 712219131Srwatson## 713219131Srwatson## XXXRW: Requires scoping. 714219131Srwatson## 715219131Srwatson#thr_kill2 716219131Srwatson 717219131Srwatson## 718219131Srwatson## Allow thread operations operating only on current process. 719219131Srwatson## 720219131Srwatsonthr_new 721219131Srwatsonthr_self 722219131Srwatsonthr_set_name 723219131Srwatsonthr_suspend 724219131Srwatsonthr_wake 725219131Srwatson 726219131Srwatson## 727219131Srwatson## Allow manipulation of the current process umask with umask(2). 728219131Srwatson## 729219131Srwatsonumask 730219131Srwatson 731219131Srwatson## 732219131Srwatson## Allow submitting of process trace entries with utrace(2). 733219131Srwatson## 734219131Srwatsonutrace 735219131Srwatson 736219131Srwatson## 737219131Srwatson## Allow generating UUIDs with uuidgen(2). 738219131Srwatson## 739219131Srwatsonuuidgen 740219131Srwatson 741219131Srwatson## 742219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 743219131Srwatson## 744219131Srwatsonwrite 745219131Srwatsonwritev 746219131Srwatson 747219131Srwatson## 748219131Srwatson## Allow processes to yield(2). 749219131Srwatson## 750219131Srwatsonyield 751