capabilities.conf revision 236361 
1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## Notes:
32## - sys_exit(2), abort2(2) and close(2) are very important.
33## - Sorted alphabetically, please keep it that way.
34##
35## $FreeBSD: head/sys/kern/capabilities.conf 236361 2012-05-31 19:32:37Z pjd $
36##
37
38##
39## Allow ACL and MAC label operations by file descriptor, subject to
40## capability rights.  Allow MAC label operations on the current process but
41## we will need to scope __mac_get_pid(2).
42##
43__acl_aclcheck_fd
44__acl_delete_fd
45__acl_get_fd
46__acl_set_fd
47__mac_get_fd
48#__mac_get_pid
49__mac_get_proc
50__mac_set_fd
51__mac_set_proc
52
53##
54## Allow sysctl(2) as we scope internal to the call; this is a global
55## namespace, but there are several critical sysctls required for almost
56## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_lock
68_umtx_op
69_umtx_unlock
70
71##
72## Allow process termination using abort2(2).
73##
74abort2
75
76##
77## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78## relies on existing bindings on a socket, subject to capability rights.
79##
80accept
81
82##
83## Allow AIO operations by file descriptor, subject to capability rights.
84##
85aio_cancel
86aio_error
87aio_fsync
88aio_read
89aio_return
90aio_suspend
91aio_waitcomplete
92aio_write
93
94##
95## audit(2) is a global operation, submitting to the global trail, but it is
96## controlled by privilege, and it might be useful to be able to submit
97## records from sandboxes.  For now, disallow, but we may want to think about
98## providing some sort of proxy service for this.
99##
100#audit
101
102##
103## Disllow bind(2) for now, even though we support CAP_BIND.
104##
105## XXXRW: Revisit this.
106##
107#bind
108
109##
110## Allow capability mode and capability system calls.
111##
112cap_enter
113cap_getmode
114cap_getrights
115cap_new
116
117##
118## Allow read-only clock operations.
119##
120clock_gettime
121clock_getres
122
123##
124## Always allow file descriptor close(2).
125##
126close
127closefrom
128
129##
130## Disallow connect(2) for now, despite CAP_CONNECT.
131##
132## XXXRW: Revisit this.
133##
134#connect
135
136##
137## cpuset(2) and related calls require scoping by process, but should
138## eventually be allowed, at least in the current process case.
139##
140#cpuset
141#cpuset_getaffinity
142#cpuset_getid
143#cpuset_setaffinity
144#cpuset_setid
145
146##
147## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
148##
149dup
150dup2
151
152##
153## Allow extended attribute operations by file descriptor, subject to
154## capability rights.
155##
156extattr_delete_fd
157extattr_get_fd
158extattr_list_fd
159extattr_set_fd
160
161##
162## Allow changing file flags, mode, and owner by file descriptor, subject to
163## capability rights.
164##
165fchflags
166fchmod
167fchown
168
169##
170## For now, allow fcntl(2), subject to capability rights, but this probably
171## needs additional scoping.
172##
173fcntl
174
175##
176## Allow fexecve(2), subject to capability rights.  We perform some scoping,
177## such as disallowing privilege escalation.
178##
179fexecve
180
181##
182## Allow flock(2), subject to capability rights.
183##
184flock
185
186##
187## Allow fork(2), even though it returns pids -- some applications seem to
188## prefer this interface.
189##
190fork
191
192##
193## Allow fpathconf(2), subject to capability rights.
194##
195fpathconf
196
197##
198## Allow various file descriptor-based I/O operations, subject to capability
199## rights.
200##
201freebsd6_ftruncate
202freebsd6_lseek
203freebsd6_mmap
204freebsd6_pread
205freebsd6_pwrite
206
207##
208## Allow querying file and file system state with fstat(2) and fstatfs(2),
209## subject to capability rights.
210##
211fstat
212fstatfs
213
214##
215## Allow further file descriptor-based I/O operations, subject to capability
216## rights.
217##
218fsync
219ftruncate
220
221##
222## Allow futimes(2), subject to capability rights.
223##
224futimes
225
226##
227## Allow querying process audit state, subject to normal access control.
228##
229getaudit
230getaudit_addr
231getauid
232
233##
234## Allow thread context management with getcontext(2).
235##
236getcontext
237
238##
239## Allow directory I/O on a file descriptor, subject to capability rights.
240## Originally we had separate capabilities for directory-specific read
241## operations, but on BSD we allow reading the raw directory data, so we just
242## rely on CAP_READ and CAP_SEEK now.
243##
244getdents
245getdirentries
246
247##
248## Allow querying certain trivial global state.
249##
250getdomainname
251
252##
253## Allow querying current process credential state.
254##
255getegid
256geteuid
257
258##
259## Allow querying certain trivial global state.
260##
261gethostid
262gethostname
263
264##
265## Allow querying per-process timer.
266##
267getitimer
268
269##
270## Allow querying current process credential state.
271##
272getgid
273getgroups
274getlogin
275
276##
277## Allow querying certain trivial global state.
278##
279getpagesize
280getpeername
281
282##
283## Allow querying certain per-process scheduling, resource limit, and
284## credential state.
285##
286## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
287## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
288## getsid(2) needs scoping.
289##
290getpgid
291getpgrp
292getpid
293getppid
294getpriority
295getresgid
296getresuid
297getrlimit
298getrusage
299getsid
300
301##
302## Allow querying socket state, subject to capability rights.
303##
304## XXXRW: getsockopt(2) may need more attention.
305##
306getsockname
307getsockopt
308
309##
310## Allow querying the global clock.
311##
312gettimeofday
313
314##
315## Allow querying current process credential state.
316##
317getuid
318
319##
320## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
321## scope, but this is a tricky one as it is also required for tty control.
322## We do have a capability right for this operation.
323##
324## XXXRW: This needs to be revisited.
325##
326#ioctl
327
328##
329## Allow querying current process credential state.
330##
331issetugid
332
333##
334## Allow kevent(2), as we will authorize based on capability rights on the
335## target descriptor.
336##
337kevent
338
339##
340## Allow message queue operations on file descriptors, subject to capability
341## rights.
342##
343kmq_notify
344kmq_setattr
345kmq_timedreceive
346kmq_timedsend
347
348##
349## Allow kqueue(2), we will control use.
350##
351kqueue
352
353##
354## Allow managing per-process timers.
355##
356ktimer_create
357ktimer_delete
358ktimer_getoverrun
359ktimer_gettime
360ktimer_settime
361
362##
363## We can't allow ktrace(2) because it relies on a global namespace, but we
364## might want to introduce an fktrace(2) of some sort.
365##
366#ktrace
367
368##
369## Allow AIO operations by file descriptor, subject to capability rights.
370##
371lio_listio
372
373##
374## Allow listen(2), subject to capability rights.
375##
376## XXXRW: One might argue this manipulates a global namespace.
377##
378listen
379
380##
381## Allow I/O-related file descriptors, subject to capability rights.
382##
383lseek
384
385##
386## Allow MAC label operations by file descriptor, subject to capability
387## rights.
388##
389mac_get_fd
390mac_set_fd
391
392##
393## Allow simple VM operations on the current process.
394##
395madvise
396mincore
397minherit
398mlock
399mlockall
400
401##
402## Allow memory mapping a file descriptor, and updating protections, subject
403## to capability rights.
404##
405mmap
406mprotect
407
408##
409## Allow simple VM operations on the current process.
410##
411msync
412munlock
413munlockall
414munmap
415
416##
417## Allow the current process to sleep.
418##
419nanosleep
420
421##
422## Allow querying the global clock.
423##
424ntp_gettime
425
426##
427## Allow AIO operations by file descriptor, subject to capability rights.
428##
429oaio_read
430oaio_write
431
432##
433## Allow simple VM operations on the current process.
434##
435obreak
436
437##
438## Allow AIO operations by file descriptor, subject to capability rights.
439##
440olio_listio
441
442##
443## Operations relative to directory capabilities.
444##
445faccessat
446fstatat
447fchmodat
448fchownat
449futimesat
450linkat
451mkdirat
452mkfifoat
453mknodat
454openat
455readlinkat
456renameat
457symlinkat
458unlinkat
459
460##
461## Allow entry into open(2). This system call will fail, since access to the
462## global file namespace has been disallowed, but allowing entry into the
463## syscall means that an audit trail will be generated (which is also very
464## useful for debugging).
465##
466open
467
468##
469## Allow poll(2), which will be scoped by capability rights.
470##
471## XXXRW: Perhaps we don't need the OpenBSD version?
472## XXXRW: We don't yet do that scoping.
473##
474openbsd_poll
475
476##
477## Process descriptor-related system calls are allowed.
478##
479pdfork
480pdgetpid
481pdkill
482#pdwait4	# not yet implemented
483
484##
485## Allow pipe(2).
486##
487pipe
488
489##
490## Allow poll(2), which will be scoped by capability rights.
491## XXXRW: We don't yet do that scoping.
492##
493poll
494
495##
496## Allow I/O-related file descriptors, subject to capability rights.
497##
498pread
499preadv
500
501##
502## Allow access to profiling state on the current process.
503##
504profil
505
506##
507## Disallow ptrace(2) for now, but we do need debugging facilities in
508## capability mode, so we will want to revisit this, possibly by scoping its
509## operation.
510##
511#ptrace
512
513##
514## Allow I/O-related file descriptors, subject to capability rights.
515##
516pwrite
517pwritev
518read
519readv
520recv
521recvfrom
522recvmsg
523
524##
525## Allow real-time scheduling primitives to be used.
526##
527## XXXRW: These require scoping.
528##
529rtprio
530rtprio_thread
531
532##
533## Allow simple VM operations on the current process.
534##
535sbrk
536
537##
538## Allow querying trivial global scheduler state.
539##
540sched_get_priority_max
541sched_get_priority_min
542
543##
544## Allow various thread/process scheduler operations.
545##
546## XXXRW: Some of these require further scoping.
547##
548sched_getparam
549sched_getscheduler
550sched_rr_getinterval
551sched_setparam
552sched_setscheduler
553sched_yield
554
555##
556## Allow I/O-related file descriptors, subject to capability rights.
557##
558sctp_generic_recvmsg
559sctp_generic_sendmsg
560sctp_generic_sendmsg_iov
561sctp_peeloff
562
563##
564## Allow select(2), which will be scoped by capability rights.
565##
566## XXXRW: But is it?
567##
568select
569
570##
571## Allow I/O-related file descriptors, subject to capability rights.  Use of
572## explicit addresses here is restricted by the system calls themselves.
573##
574send
575sendfile
576sendmsg
577sendto
578
579##
580## Allow setting per-process audit state, which is controlled separately by
581## privileges.
582##
583setaudit
584setaudit_addr
585setauid
586
587##
588## Allow setting thread context.
589##
590setcontext
591
592##
593## Allow setting current process credential state, which is controlled
594## separately by privilege.
595##
596setegid
597seteuid
598setgid
599
600##
601## Allow use of the process interval timer.
602##
603setitimer
604
605##
606## Allow setpriority(2).
607##
608## XXXRW: Requires scoping.
609##
610setpriority
611
612##
613## Allow setting current process credential state, which is controlled
614## separately by privilege.
615##
616setregid
617setresgid
618setresuid
619setreuid
620
621##
622## Allow setting process resource limits with setrlimit(2).
623##
624setrlimit
625
626##
627## Allow creating a new session with setsid(2).
628##
629setsid
630
631##
632## Allow setting socket options with setsockopt(2), subject to capability
633## rights.
634##
635## XXXRW: Might require scoping.
636##
637setsockopt
638
639##
640## Allow setting current process credential state, which is controlled
641## separately by privilege.
642##
643setuid
644
645##
646## shm_open(2) is scoped so as to allow only access to new anonymous objects.
647##
648shm_open
649
650##
651## Allow I/O-related file descriptors, subject to capability rights.
652##
653shutdown
654
655##
656## Allow signal control on current process.
657##
658sigaction
659sigaltstack
660sigblock
661sigpending
662sigprocmask
663sigqueue
664sigreturn
665sigsetmask
666sigstack
667sigsuspend
668sigtimedwait
669sigvec
670sigwaitinfo
671
672##
673## Allow creating new socket pairs with socket(2) and socketpair(2).
674##
675socket
676socketpair
677
678##
679## Allow simple VM operations on the current process.
680##
681## XXXRW: Kernel doesn't implement this, so drop?
682##
683sstk
684
685##
686## Do allow sync(2) for now, but possibly shouldn't.
687##
688sync
689
690##
691## Always allow process termination with sys_exit(2).
692##
693sys_exit
694
695##
696## sysarch(2) does rather diverse things, but is required on at least i386
697## in order to configure per-thread data.  As such, it's scoped on each
698## architecture.
699##
700sysarch
701
702##
703## Allow thread operations operating only on current process.
704##
705thr_create
706thr_exit
707thr_kill
708
709##
710## Disallow thr_kill2(2), as it may operate beyond the current process.
711##
712## XXXRW: Requires scoping.
713##
714#thr_kill2
715
716##
717## Allow thread operations operating only on current process.
718##
719thr_new
720thr_self
721thr_set_name
722thr_suspend
723thr_wake
724
725##
726## Allow manipulation of the current process umask with umask(2).
727##
728umask
729
730##
731## Allow submitting of process trace entries with utrace(2).
732##
733utrace
734
735##
736## Allow generating UUIDs with uuidgen(2).
737##
738uuidgen
739
740##
741## Allow I/O-related file descriptors, subject to capability rights.
742##
743write
744writev
745
746##
747## Allow processes to yield(2).
748##
749yield
750