capabilities.conf revision 236361
1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## Notes: 32## - sys_exit(2), abort2(2) and close(2) are very important. 33## - Sorted alphabetically, please keep it that way. 34## 35## $FreeBSD: head/sys/kern/capabilities.conf 236361 2012-05-31 19:32:37Z pjd $ 36## 37 38## 39## Allow ACL and MAC label operations by file descriptor, subject to 40## capability rights. Allow MAC label operations on the current process but 41## we will need to scope __mac_get_pid(2). 42## 43__acl_aclcheck_fd 44__acl_delete_fd 45__acl_get_fd 46__acl_set_fd 47__mac_get_fd 48#__mac_get_pid 49__mac_get_proc 50__mac_set_fd 51__mac_set_proc 52 53## 54## Allow sysctl(2) as we scope internal to the call; this is a global 55## namespace, but there are several critical sysctls required for almost 56## anything to run, such as hw.pagesize. For now that policy lives in the 57## kernel for performance and simplicity, but perhaps it could move to a 58## proxying daemon in userspace. 59## 60__sysctl 61 62## 63## Allow umtx operations as these are scoped by address space. 64## 65## XXRW: Need to check this very carefully. 66## 67_umtx_lock 68_umtx_op 69_umtx_unlock 70 71## 72## Allow process termination using abort2(2). 73## 74abort2 75 76## 77## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78## relies on existing bindings on a socket, subject to capability rights. 79## 80accept 81 82## 83## Allow AIO operations by file descriptor, subject to capability rights. 84## 85aio_cancel 86aio_error 87aio_fsync 88aio_read 89aio_return 90aio_suspend 91aio_waitcomplete 92aio_write 93 94## 95## audit(2) is a global operation, submitting to the global trail, but it is 96## controlled by privilege, and it might be useful to be able to submit 97## records from sandboxes. For now, disallow, but we may want to think about 98## providing some sort of proxy service for this. 99## 100#audit 101 102## 103## Disllow bind(2) for now, even though we support CAP_BIND. 104## 105## XXXRW: Revisit this. 106## 107#bind 108 109## 110## Allow capability mode and capability system calls. 111## 112cap_enter 113cap_getmode 114cap_getrights 115cap_new 116 117## 118## Allow read-only clock operations. 119## 120clock_gettime 121clock_getres 122 123## 124## Always allow file descriptor close(2). 125## 126close 127closefrom 128 129## 130## Disallow connect(2) for now, despite CAP_CONNECT. 131## 132## XXXRW: Revisit this. 133## 134#connect 135 136## 137## cpuset(2) and related calls require scoping by process, but should 138## eventually be allowed, at least in the current process case. 139## 140#cpuset 141#cpuset_getaffinity 142#cpuset_getid 143#cpuset_setaffinity 144#cpuset_setid 145 146## 147## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 148## 149dup 150dup2 151 152## 153## Allow extended attribute operations by file descriptor, subject to 154## capability rights. 155## 156extattr_delete_fd 157extattr_get_fd 158extattr_list_fd 159extattr_set_fd 160 161## 162## Allow changing file flags, mode, and owner by file descriptor, subject to 163## capability rights. 164## 165fchflags 166fchmod 167fchown 168 169## 170## For now, allow fcntl(2), subject to capability rights, but this probably 171## needs additional scoping. 172## 173fcntl 174 175## 176## Allow fexecve(2), subject to capability rights. We perform some scoping, 177## such as disallowing privilege escalation. 178## 179fexecve 180 181## 182## Allow flock(2), subject to capability rights. 183## 184flock 185 186## 187## Allow fork(2), even though it returns pids -- some applications seem to 188## prefer this interface. 189## 190fork 191 192## 193## Allow fpathconf(2), subject to capability rights. 194## 195fpathconf 196 197## 198## Allow various file descriptor-based I/O operations, subject to capability 199## rights. 200## 201freebsd6_ftruncate 202freebsd6_lseek 203freebsd6_mmap 204freebsd6_pread 205freebsd6_pwrite 206 207## 208## Allow querying file and file system state with fstat(2) and fstatfs(2), 209## subject to capability rights. 210## 211fstat 212fstatfs 213 214## 215## Allow further file descriptor-based I/O operations, subject to capability 216## rights. 217## 218fsync 219ftruncate 220 221## 222## Allow futimes(2), subject to capability rights. 223## 224futimes 225 226## 227## Allow querying process audit state, subject to normal access control. 228## 229getaudit 230getaudit_addr 231getauid 232 233## 234## Allow thread context management with getcontext(2). 235## 236getcontext 237 238## 239## Allow directory I/O on a file descriptor, subject to capability rights. 240## Originally we had separate capabilities for directory-specific read 241## operations, but on BSD we allow reading the raw directory data, so we just 242## rely on CAP_READ and CAP_SEEK now. 243## 244getdents 245getdirentries 246 247## 248## Allow querying certain trivial global state. 249## 250getdomainname 251 252## 253## Allow querying current process credential state. 254## 255getegid 256geteuid 257 258## 259## Allow querying certain trivial global state. 260## 261gethostid 262gethostname 263 264## 265## Allow querying per-process timer. 266## 267getitimer 268 269## 270## Allow querying current process credential state. 271## 272getgid 273getgroups 274getlogin 275 276## 277## Allow querying certain trivial global state. 278## 279getpagesize 280getpeername 281 282## 283## Allow querying certain per-process scheduling, resource limit, and 284## credential state. 285## 286## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 287## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 288## getsid(2) needs scoping. 289## 290getpgid 291getpgrp 292getpid 293getppid 294getpriority 295getresgid 296getresuid 297getrlimit 298getrusage 299getsid 300 301## 302## Allow querying socket state, subject to capability rights. 303## 304## XXXRW: getsockopt(2) may need more attention. 305## 306getsockname 307getsockopt 308 309## 310## Allow querying the global clock. 311## 312gettimeofday 313 314## 315## Allow querying current process credential state. 316## 317getuid 318 319## 320## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global 321## scope, but this is a tricky one as it is also required for tty control. 322## We do have a capability right for this operation. 323## 324## XXXRW: This needs to be revisited. 325## 326#ioctl 327 328## 329## Allow querying current process credential state. 330## 331issetugid 332 333## 334## Allow kevent(2), as we will authorize based on capability rights on the 335## target descriptor. 336## 337kevent 338 339## 340## Allow message queue operations on file descriptors, subject to capability 341## rights. 342## 343kmq_notify 344kmq_setattr 345kmq_timedreceive 346kmq_timedsend 347 348## 349## Allow kqueue(2), we will control use. 350## 351kqueue 352 353## 354## Allow managing per-process timers. 355## 356ktimer_create 357ktimer_delete 358ktimer_getoverrun 359ktimer_gettime 360ktimer_settime 361 362## 363## We can't allow ktrace(2) because it relies on a global namespace, but we 364## might want to introduce an fktrace(2) of some sort. 365## 366#ktrace 367 368## 369## Allow AIO operations by file descriptor, subject to capability rights. 370## 371lio_listio 372 373## 374## Allow listen(2), subject to capability rights. 375## 376## XXXRW: One might argue this manipulates a global namespace. 377## 378listen 379 380## 381## Allow I/O-related file descriptors, subject to capability rights. 382## 383lseek 384 385## 386## Allow MAC label operations by file descriptor, subject to capability 387## rights. 388## 389mac_get_fd 390mac_set_fd 391 392## 393## Allow simple VM operations on the current process. 394## 395madvise 396mincore 397minherit 398mlock 399mlockall 400 401## 402## Allow memory mapping a file descriptor, and updating protections, subject 403## to capability rights. 404## 405mmap 406mprotect 407 408## 409## Allow simple VM operations on the current process. 410## 411msync 412munlock 413munlockall 414munmap 415 416## 417## Allow the current process to sleep. 418## 419nanosleep 420 421## 422## Allow querying the global clock. 423## 424ntp_gettime 425 426## 427## Allow AIO operations by file descriptor, subject to capability rights. 428## 429oaio_read 430oaio_write 431 432## 433## Allow simple VM operations on the current process. 434## 435obreak 436 437## 438## Allow AIO operations by file descriptor, subject to capability rights. 439## 440olio_listio 441 442## 443## Operations relative to directory capabilities. 444## 445faccessat 446fstatat 447fchmodat 448fchownat 449futimesat 450linkat 451mkdirat 452mkfifoat 453mknodat 454openat 455readlinkat 456renameat 457symlinkat 458unlinkat 459 460## 461## Allow entry into open(2). This system call will fail, since access to the 462## global file namespace has been disallowed, but allowing entry into the 463## syscall means that an audit trail will be generated (which is also very 464## useful for debugging). 465## 466open 467 468## 469## Allow poll(2), which will be scoped by capability rights. 470## 471## XXXRW: Perhaps we don't need the OpenBSD version? 472## XXXRW: We don't yet do that scoping. 473## 474openbsd_poll 475 476## 477## Process descriptor-related system calls are allowed. 478## 479pdfork 480pdgetpid 481pdkill 482#pdwait4 # not yet implemented 483 484## 485## Allow pipe(2). 486## 487pipe 488 489## 490## Allow poll(2), which will be scoped by capability rights. 491## XXXRW: We don't yet do that scoping. 492## 493poll 494 495## 496## Allow I/O-related file descriptors, subject to capability rights. 497## 498pread 499preadv 500 501## 502## Allow access to profiling state on the current process. 503## 504profil 505 506## 507## Disallow ptrace(2) for now, but we do need debugging facilities in 508## capability mode, so we will want to revisit this, possibly by scoping its 509## operation. 510## 511#ptrace 512 513## 514## Allow I/O-related file descriptors, subject to capability rights. 515## 516pwrite 517pwritev 518read 519readv 520recv 521recvfrom 522recvmsg 523 524## 525## Allow real-time scheduling primitives to be used. 526## 527## XXXRW: These require scoping. 528## 529rtprio 530rtprio_thread 531 532## 533## Allow simple VM operations on the current process. 534## 535sbrk 536 537## 538## Allow querying trivial global scheduler state. 539## 540sched_get_priority_max 541sched_get_priority_min 542 543## 544## Allow various thread/process scheduler operations. 545## 546## XXXRW: Some of these require further scoping. 547## 548sched_getparam 549sched_getscheduler 550sched_rr_getinterval 551sched_setparam 552sched_setscheduler 553sched_yield 554 555## 556## Allow I/O-related file descriptors, subject to capability rights. 557## 558sctp_generic_recvmsg 559sctp_generic_sendmsg 560sctp_generic_sendmsg_iov 561sctp_peeloff 562 563## 564## Allow select(2), which will be scoped by capability rights. 565## 566## XXXRW: But is it? 567## 568select 569 570## 571## Allow I/O-related file descriptors, subject to capability rights. Use of 572## explicit addresses here is restricted by the system calls themselves. 573## 574send 575sendfile 576sendmsg 577sendto 578 579## 580## Allow setting per-process audit state, which is controlled separately by 581## privileges. 582## 583setaudit 584setaudit_addr 585setauid 586 587## 588## Allow setting thread context. 589## 590setcontext 591 592## 593## Allow setting current process credential state, which is controlled 594## separately by privilege. 595## 596setegid 597seteuid 598setgid 599 600## 601## Allow use of the process interval timer. 602## 603setitimer 604 605## 606## Allow setpriority(2). 607## 608## XXXRW: Requires scoping. 609## 610setpriority 611 612## 613## Allow setting current process credential state, which is controlled 614## separately by privilege. 615## 616setregid 617setresgid 618setresuid 619setreuid 620 621## 622## Allow setting process resource limits with setrlimit(2). 623## 624setrlimit 625 626## 627## Allow creating a new session with setsid(2). 628## 629setsid 630 631## 632## Allow setting socket options with setsockopt(2), subject to capability 633## rights. 634## 635## XXXRW: Might require scoping. 636## 637setsockopt 638 639## 640## Allow setting current process credential state, which is controlled 641## separately by privilege. 642## 643setuid 644 645## 646## shm_open(2) is scoped so as to allow only access to new anonymous objects. 647## 648shm_open 649 650## 651## Allow I/O-related file descriptors, subject to capability rights. 652## 653shutdown 654 655## 656## Allow signal control on current process. 657## 658sigaction 659sigaltstack 660sigblock 661sigpending 662sigprocmask 663sigqueue 664sigreturn 665sigsetmask 666sigstack 667sigsuspend 668sigtimedwait 669sigvec 670sigwaitinfo 671 672## 673## Allow creating new socket pairs with socket(2) and socketpair(2). 674## 675socket 676socketpair 677 678## 679## Allow simple VM operations on the current process. 680## 681## XXXRW: Kernel doesn't implement this, so drop? 682## 683sstk 684 685## 686## Do allow sync(2) for now, but possibly shouldn't. 687## 688sync 689 690## 691## Always allow process termination with sys_exit(2). 692## 693sys_exit 694 695## 696## sysarch(2) does rather diverse things, but is required on at least i386 697## in order to configure per-thread data. As such, it's scoped on each 698## architecture. 699## 700sysarch 701 702## 703## Allow thread operations operating only on current process. 704## 705thr_create 706thr_exit 707thr_kill 708 709## 710## Disallow thr_kill2(2), as it may operate beyond the current process. 711## 712## XXXRW: Requires scoping. 713## 714#thr_kill2 715 716## 717## Allow thread operations operating only on current process. 718## 719thr_new 720thr_self 721thr_set_name 722thr_suspend 723thr_wake 724 725## 726## Allow manipulation of the current process umask with umask(2). 727## 728umask 729 730## 731## Allow submitting of process trace entries with utrace(2). 732## 733utrace 734 735## 736## Allow generating UUIDs with uuidgen(2). 737## 738uuidgen 739 740## 741## Allow I/O-related file descriptors, subject to capability rights. 742## 743write 744writev 745 746## 747## Allow processes to yield(2). 748## 749yield 750