capabilities.conf revision 247667 
1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## Notes:
32## - sys_exit(2), abort2(2) and close(2) are very important.
33## - Sorted alphabetically, please keep it that way.
34##
35## $FreeBSD: head/sys/kern/capabilities.conf 247667 2013-03-02 21:11:30Z pjd $
36##
37
38##
39## Allow ACL and MAC label operations by file descriptor, subject to
40## capability rights.  Allow MAC label operations on the current process but
41## we will need to scope __mac_get_pid(2).
42##
43__acl_aclcheck_fd
44__acl_delete_fd
45__acl_get_fd
46__acl_set_fd
47__mac_get_fd
48#__mac_get_pid
49__mac_get_proc
50__mac_set_fd
51__mac_set_proc
52
53##
54## Allow sysctl(2) as we scope internal to the call; this is a global
55## namespace, but there are several critical sysctls required for almost
56## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_lock
68_umtx_op
69_umtx_unlock
70
71##
72## Allow process termination using abort2(2).
73##
74abort2
75
76##
77## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78## relies on existing bindings on a socket, subject to capability rights.
79##
80accept
81
82##
83## Allow AIO operations by file descriptor, subject to capability rights.
84##
85aio_cancel
86aio_error
87aio_fsync
88aio_read
89aio_return
90aio_suspend
91aio_waitcomplete
92aio_write
93
94##
95## audit(2) is a global operation, submitting to the global trail, but it is
96## controlled by privilege, and it might be useful to be able to submit
97## records from sandboxes.  For now, disallow, but we may want to think about
98## providing some sort of proxy service for this.
99##
100#audit
101
102##
103## Allow bindat(2).
104##
105bindat
106
107##
108## Allow capability mode and capability system calls.
109##
110cap_enter
111cap_fcntls_get
112cap_fcntls_limit
113cap_getmode
114cap_ioctls_get
115cap_ioctls_limit
116cap_new
117cap_rights_get
118cap_rights_limit
119
120##
121## Allow read-only clock operations.
122##
123clock_gettime
124clock_getres
125
126##
127## Always allow file descriptor close(2).
128##
129close
130closefrom
131
132##
133## Allow connectat(2).
134##
135connectat
136
137##
138## cpuset(2) and related calls require scoping by process, but should
139## eventually be allowed, at least in the current process case.
140##
141#cpuset
142#cpuset_getaffinity
143#cpuset_getid
144#cpuset_setaffinity
145#cpuset_setid
146
147##
148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
149##
150dup
151dup2
152
153##
154## Allow extended attribute operations by file descriptor, subject to
155## capability rights.
156##
157extattr_delete_fd
158extattr_get_fd
159extattr_list_fd
160extattr_set_fd
161
162##
163## Allow changing file flags, mode, and owner by file descriptor, subject to
164## capability rights.
165##
166fchflags
167fchmod
168fchown
169
170##
171## For now, allow fcntl(2), subject to capability rights, but this probably
172## needs additional scoping.
173##
174fcntl
175
176##
177## Allow fexecve(2), subject to capability rights.  We perform some scoping,
178## such as disallowing privilege escalation.
179##
180fexecve
181
182##
183## Allow flock(2), subject to capability rights.
184##
185flock
186
187##
188## Allow fork(2), even though it returns pids -- some applications seem to
189## prefer this interface.
190##
191fork
192
193##
194## Allow fpathconf(2), subject to capability rights.
195##
196fpathconf
197
198##
199## Allow various file descriptor-based I/O operations, subject to capability
200## rights.
201##
202freebsd6_ftruncate
203freebsd6_lseek
204freebsd6_mmap
205freebsd6_pread
206freebsd6_pwrite
207
208##
209## Allow querying file and file system state with fstat(2) and fstatfs(2),
210## subject to capability rights.
211##
212fstat
213fstatfs
214
215##
216## Allow further file descriptor-based I/O operations, subject to capability
217## rights.
218##
219fsync
220ftruncate
221
222##
223## Allow futimes(2), subject to capability rights.
224##
225futimes
226
227##
228## Allow querying process audit state, subject to normal access control.
229##
230getaudit
231getaudit_addr
232getauid
233
234##
235## Allow thread context management with getcontext(2).
236##
237getcontext
238
239##
240## Allow directory I/O on a file descriptor, subject to capability rights.
241## Originally we had separate capabilities for directory-specific read
242## operations, but on BSD we allow reading the raw directory data, so we just
243## rely on CAP_READ now.
244##
245getdents
246getdirentries
247
248##
249## Allow querying certain trivial global state.
250##
251getdomainname
252
253##
254## Allow querying current process credential state.
255##
256getegid
257geteuid
258
259##
260## Allow querying certain trivial global state.
261##
262gethostid
263gethostname
264
265##
266## Allow querying per-process timer.
267##
268getitimer
269
270##
271## Allow querying current process credential state.
272##
273getgid
274getgroups
275getlogin
276
277##
278## Allow querying certain trivial global state.
279##
280getpagesize
281getpeername
282
283##
284## Allow querying certain per-process scheduling, resource limit, and
285## credential state.
286##
287## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
288## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
289## getsid(2) needs scoping.
290##
291getpgid
292getpgrp
293getpid
294getppid
295getpriority
296getresgid
297getresuid
298getrlimit
299getrusage
300getsid
301
302##
303## Allow querying socket state, subject to capability rights.
304##
305## XXXRW: getsockopt(2) may need more attention.
306##
307getsockname
308getsockopt
309
310##
311## Allow querying the global clock.
312##
313gettimeofday
314
315##
316## Allow querying current process credential state.
317##
318getuid
319
320##
321## Allow ioctl(2), which hopefully will be limited by applications only to
322## required commands with cap_ioctls_limit(2) syscall.
323##
324ioctl
325
326##
327## Allow querying current process credential state.
328##
329issetugid
330
331##
332## Allow kevent(2), as we will authorize based on capability rights on the
333## target descriptor.
334##
335kevent
336
337##
338## Allow kill(2), as we allow the process to send signals only to himself.
339##
340kill
341
342##
343## Allow message queue operations on file descriptors, subject to capability
344## rights.
345##
346kmq_notify
347kmq_setattr
348kmq_timedreceive
349kmq_timedsend
350
351##
352## Allow kqueue(2), we will control use.
353##
354kqueue
355
356##
357## Allow managing per-process timers.
358##
359ktimer_create
360ktimer_delete
361ktimer_getoverrun
362ktimer_gettime
363ktimer_settime
364
365##
366## We can't allow ktrace(2) because it relies on a global namespace, but we
367## might want to introduce an fktrace(2) of some sort.
368##
369#ktrace
370
371##
372## Allow AIO operations by file descriptor, subject to capability rights.
373##
374lio_listio
375
376##
377## Allow listen(2), subject to capability rights.
378##
379## XXXRW: One might argue this manipulates a global namespace.
380##
381listen
382
383##
384## Allow I/O-related file descriptors, subject to capability rights.
385##
386lseek
387
388##
389## Allow MAC label operations by file descriptor, subject to capability
390## rights.
391##
392mac_get_fd
393mac_set_fd
394
395##
396## Allow simple VM operations on the current process.
397##
398madvise
399mincore
400minherit
401mlock
402mlockall
403
404##
405## Allow memory mapping a file descriptor, and updating protections, subject
406## to capability rights.
407##
408mmap
409mprotect
410
411##
412## Allow simple VM operations on the current process.
413##
414msync
415munlock
416munlockall
417munmap
418
419##
420## Allow the current process to sleep.
421##
422nanosleep
423
424##
425## Allow querying the global clock.
426##
427ntp_gettime
428
429##
430## Allow AIO operations by file descriptor, subject to capability rights.
431##
432oaio_read
433oaio_write
434
435##
436## Allow simple VM operations on the current process.
437##
438obreak
439
440##
441## Allow AIO operations by file descriptor, subject to capability rights.
442##
443olio_listio
444
445##
446## Operations relative to directory capabilities.
447##
448faccessat
449fstatat
450fchmodat
451fchownat
452futimesat
453linkat
454mkdirat
455mkfifoat
456mknodat
457openat
458readlinkat
459renameat
460symlinkat
461unlinkat
462
463##
464## Allow entry into open(2). This system call will fail, since access to the
465## global file namespace has been disallowed, but allowing entry into the
466## syscall means that an audit trail will be generated (which is also very
467## useful for debugging).
468##
469open
470
471##
472## Allow poll(2), which will be scoped by capability rights.
473##
474## XXXRW: Perhaps we don't need the OpenBSD version?
475## XXXRW: We don't yet do that scoping.
476##
477openbsd_poll
478
479##
480## Process descriptor-related system calls are allowed.
481##
482pdfork
483pdgetpid
484pdkill
485#pdwait4	# not yet implemented
486
487##
488## Allow pipe(2).
489##
490pipe
491
492##
493## Allow poll(2), which will be scoped by capability rights.
494## XXXRW: We don't yet do that scoping.
495##
496poll
497
498##
499## Allow I/O-related file descriptors, subject to capability rights.
500##
501pread
502preadv
503
504##
505## Allow access to profiling state on the current process.
506##
507profil
508
509##
510## Disallow ptrace(2) for now, but we do need debugging facilities in
511## capability mode, so we will want to revisit this, possibly by scoping its
512## operation.
513##
514#ptrace
515
516##
517## Allow I/O-related file descriptors, subject to capability rights.
518##
519pwrite
520pwritev
521read
522readv
523recv
524recvfrom
525recvmsg
526
527##
528## Allow real-time scheduling primitives to be used.
529##
530## XXXRW: These require scoping.
531##
532rtprio
533rtprio_thread
534
535##
536## Allow simple VM operations on the current process.
537##
538sbrk
539
540##
541## Allow querying trivial global scheduler state.
542##
543sched_get_priority_max
544sched_get_priority_min
545
546##
547## Allow various thread/process scheduler operations.
548##
549## XXXRW: Some of these require further scoping.
550##
551sched_getparam
552sched_getscheduler
553sched_rr_getinterval
554sched_setparam
555sched_setscheduler
556sched_yield
557
558##
559## Allow I/O-related file descriptors, subject to capability rights.
560##
561sctp_generic_recvmsg
562sctp_generic_sendmsg
563sctp_generic_sendmsg_iov
564sctp_peeloff
565
566##
567## Allow select(2), which will be scoped by capability rights.
568##
569## XXXRW: But is it?
570##
571select
572
573##
574## Allow I/O-related file descriptors, subject to capability rights.  Use of
575## explicit addresses here is restricted by the system calls themselves.
576##
577send
578sendfile
579sendmsg
580sendto
581
582##
583## Allow setting per-process audit state, which is controlled separately by
584## privileges.
585##
586setaudit
587setaudit_addr
588setauid
589
590##
591## Allow setting thread context.
592##
593setcontext
594
595##
596## Allow setting current process credential state, which is controlled
597## separately by privilege.
598##
599setegid
600seteuid
601setgid
602
603##
604## Allow use of the process interval timer.
605##
606setitimer
607
608##
609## Allow setpriority(2).
610##
611## XXXRW: Requires scoping.
612##
613setpriority
614
615##
616## Allow setting current process credential state, which is controlled
617## separately by privilege.
618##
619setregid
620setresgid
621setresuid
622setreuid
623
624##
625## Allow setting process resource limits with setrlimit(2).
626##
627setrlimit
628
629##
630## Allow creating a new session with setsid(2).
631##
632setsid
633
634##
635## Allow setting socket options with setsockopt(2), subject to capability
636## rights.
637##
638## XXXRW: Might require scoping.
639##
640setsockopt
641
642##
643## Allow setting current process credential state, which is controlled
644## separately by privilege.
645##
646setuid
647
648##
649## shm_open(2) is scoped so as to allow only access to new anonymous objects.
650##
651shm_open
652
653##
654## Allow I/O-related file descriptors, subject to capability rights.
655##
656shutdown
657
658##
659## Allow signal control on current process.
660##
661sigaction
662sigaltstack
663sigblock
664sigpending
665sigprocmask
666sigqueue
667sigreturn
668sigsetmask
669sigstack
670sigsuspend
671sigtimedwait
672sigvec
673sigwaitinfo
674
675##
676## Allow creating new socket pairs with socket(2) and socketpair(2).
677##
678socket
679socketpair
680
681##
682## Allow simple VM operations on the current process.
683##
684## XXXRW: Kernel doesn't implement this, so drop?
685##
686sstk
687
688##
689## Do allow sync(2) for now, but possibly shouldn't.
690##
691sync
692
693##
694## Always allow process termination with sys_exit(2).
695##
696sys_exit
697
698##
699## sysarch(2) does rather diverse things, but is required on at least i386
700## in order to configure per-thread data.  As such, it's scoped on each
701## architecture.
702##
703sysarch
704
705##
706## Allow thread operations operating only on current process.
707##
708thr_create
709thr_exit
710thr_kill
711
712##
713## Disallow thr_kill2(2), as it may operate beyond the current process.
714##
715## XXXRW: Requires scoping.
716##
717#thr_kill2
718
719##
720## Allow thread operations operating only on current process.
721##
722thr_new
723thr_self
724thr_set_name
725thr_suspend
726thr_wake
727
728##
729## Allow manipulation of the current process umask with umask(2).
730##
731umask
732
733##
734## Allow submitting of process trace entries with utrace(2).
735##
736utrace
737
738##
739## Allow generating UUIDs with uuidgen(2).
740##
741uuidgen
742
743##
744## Allow I/O-related file descriptors, subject to capability rights.
745##
746write
747writev
748
749##
750## Allow processes to yield(2).
751##
752yield
753