capabilities.conf revision 250154
1219131Srwatson## 2219131Srwatson## Copyright (c) 2008-2010 Robert N. M. Watson 3219131Srwatson## All rights reserved. 4219131Srwatson## 5219131Srwatson## This software was developed at the University of Cambridge Computer 6219131Srwatson## Laboratory with support from a grant from Google, Inc. 7219131Srwatson## 8219131Srwatson## Redistribution and use in source and binary forms, with or without 9219131Srwatson## modification, are permitted provided that the following conditions 10219131Srwatson## are met: 11219131Srwatson## 1. Redistributions of source code must retain the above copyright 12219131Srwatson## notice, this list of conditions and the following disclaimer. 13219131Srwatson## 2. Redistributions in binary form must reproduce the above copyright 14219131Srwatson## notice, this list of conditions and the following disclaimer in the 15219131Srwatson## documentation and/or other materials provided with the distribution. 16219131Srwatson## 17219131Srwatson## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18219131Srwatson## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19219131Srwatson## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20219131Srwatson## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21219131Srwatson## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22219131Srwatson## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23219131Srwatson## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24219131Srwatson## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25219131Srwatson## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26219131Srwatson## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27219131Srwatson## SUCH DAMAGE. 28219131Srwatson## 29219131Srwatson## List of system calls enabled in capability mode, one name per line. 30219131Srwatson## 31219131Srwatson## Notes: 32219131Srwatson## - sys_exit(2), abort2(2) and close(2) are very important. 33219131Srwatson## - Sorted alphabetically, please keep it that way. 34219131Srwatson## 35219131Srwatson## $FreeBSD: head/sys/kern/capabilities.conf 250154 2013-05-01 20:10:21Z jilles $ 36219131Srwatson## 37219131Srwatson 38219131Srwatson## 39219131Srwatson## Allow ACL and MAC label operations by file descriptor, subject to 40219131Srwatson## capability rights. Allow MAC label operations on the current process but 41219131Srwatson## we will need to scope __mac_get_pid(2). 42219131Srwatson## 43219131Srwatson__acl_aclcheck_fd 44219131Srwatson__acl_delete_fd 45219131Srwatson__acl_get_fd 46219131Srwatson__acl_set_fd 47219131Srwatson__mac_get_fd 48219131Srwatson#__mac_get_pid 49219131Srwatson__mac_get_proc 50219131Srwatson__mac_set_fd 51219131Srwatson__mac_set_proc 52219131Srwatson 53219131Srwatson## 54219131Srwatson## Allow sysctl(2) as we scope internal to the call; this is a global 55219131Srwatson## namespace, but there are several critical sysctls required for almost 56219131Srwatson## anything to run, such as hw.pagesize. For now that policy lives in the 57219131Srwatson## kernel for performance and simplicity, but perhaps it could move to a 58219131Srwatson## proxying daemon in userspace. 59219131Srwatson## 60219131Srwatson__sysctl 61219131Srwatson 62219131Srwatson## 63219131Srwatson## Allow umtx operations as these are scoped by address space. 64219131Srwatson## 65219131Srwatson## XXRW: Need to check this very carefully. 66219131Srwatson## 67219131Srwatson_umtx_lock 68219131Srwatson_umtx_op 69219131Srwatson_umtx_unlock 70219131Srwatson 71219131Srwatson## 72219131Srwatson## Allow process termination using abort2(2). 73219131Srwatson## 74219131Srwatsonabort2 75219131Srwatson 76219131Srwatson## 77219131Srwatson## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78219131Srwatson## relies on existing bindings on a socket, subject to capability rights. 79219131Srwatson## 80219131Srwatsonaccept 81250154Sjillesaccept4 82219131Srwatson 83219131Srwatson## 84219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 85219131Srwatson## 86219131Srwatsonaio_cancel 87219131Srwatsonaio_error 88219131Srwatsonaio_fsync 89219131Srwatsonaio_read 90219131Srwatsonaio_return 91219131Srwatsonaio_suspend 92219131Srwatsonaio_waitcomplete 93219131Srwatsonaio_write 94219131Srwatson 95219131Srwatson## 96219131Srwatson## audit(2) is a global operation, submitting to the global trail, but it is 97219131Srwatson## controlled by privilege, and it might be useful to be able to submit 98219131Srwatson## records from sandboxes. For now, disallow, but we may want to think about 99219131Srwatson## providing some sort of proxy service for this. 100219131Srwatson## 101219131Srwatson#audit 102219131Srwatson 103219131Srwatson## 104247667Spjd## Allow bindat(2). 105219131Srwatson## 106247667Spjdbindat 107219131Srwatson 108219131Srwatson## 109219131Srwatson## Allow capability mode and capability system calls. 110219131Srwatson## 111219131Srwatsoncap_enter 112247602Spjdcap_fcntls_get 113247602Spjdcap_fcntls_limit 114219131Srwatsoncap_getmode 115247602Spjdcap_ioctls_get 116247602Spjdcap_ioctls_limit 117219131Srwatsoncap_new 118247602Spjdcap_rights_get 119247602Spjdcap_rights_limit 120219131Srwatson 121219131Srwatson## 122219131Srwatson## Allow read-only clock operations. 123219131Srwatson## 124219131Srwatsonclock_gettime 125219131Srwatsonclock_getres 126219131Srwatson 127219131Srwatson## 128219131Srwatson## Always allow file descriptor close(2). 129219131Srwatson## 130219131Srwatsonclose 131219131Srwatsonclosefrom 132219131Srwatson 133219131Srwatson## 134247667Spjd## Allow connectat(2). 135219131Srwatson## 136247667Spjdconnectat 137219131Srwatson 138219131Srwatson## 139219131Srwatson## cpuset(2) and related calls require scoping by process, but should 140219131Srwatson## eventually be allowed, at least in the current process case. 141219131Srwatson## 142219131Srwatson#cpuset 143219131Srwatson#cpuset_getaffinity 144219131Srwatson#cpuset_getid 145219131Srwatson#cpuset_setaffinity 146219131Srwatson#cpuset_setid 147219131Srwatson 148219131Srwatson## 149219131Srwatson## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 150219131Srwatson## 151219131Srwatsondup 152219131Srwatsondup2 153219131Srwatson 154219131Srwatson## 155219131Srwatson## Allow extended attribute operations by file descriptor, subject to 156219131Srwatson## capability rights. 157219131Srwatson## 158219131Srwatsonextattr_delete_fd 159219131Srwatsonextattr_get_fd 160219131Srwatsonextattr_list_fd 161219131Srwatsonextattr_set_fd 162219131Srwatson 163219131Srwatson## 164219131Srwatson## Allow changing file flags, mode, and owner by file descriptor, subject to 165219131Srwatson## capability rights. 166219131Srwatson## 167219131Srwatsonfchflags 168219131Srwatsonfchmod 169219131Srwatsonfchown 170219131Srwatson 171219131Srwatson## 172219131Srwatson## For now, allow fcntl(2), subject to capability rights, but this probably 173219131Srwatson## needs additional scoping. 174219131Srwatson## 175219131Srwatsonfcntl 176219131Srwatson 177219131Srwatson## 178219131Srwatson## Allow fexecve(2), subject to capability rights. We perform some scoping, 179219131Srwatson## such as disallowing privilege escalation. 180219131Srwatson## 181219131Srwatsonfexecve 182219131Srwatson 183219131Srwatson## 184219131Srwatson## Allow flock(2), subject to capability rights. 185219131Srwatson## 186219131Srwatsonflock 187219131Srwatson 188219131Srwatson## 189219131Srwatson## Allow fork(2), even though it returns pids -- some applications seem to 190219131Srwatson## prefer this interface. 191219131Srwatson## 192219131Srwatsonfork 193219131Srwatson 194219131Srwatson## 195219131Srwatson## Allow fpathconf(2), subject to capability rights. 196219131Srwatson## 197219131Srwatsonfpathconf 198219131Srwatson 199219131Srwatson## 200219131Srwatson## Allow various file descriptor-based I/O operations, subject to capability 201224852Srwatson## rights. 202219131Srwatson## 203219131Srwatsonfreebsd6_ftruncate 204219131Srwatsonfreebsd6_lseek 205219131Srwatsonfreebsd6_mmap 206219131Srwatsonfreebsd6_pread 207219131Srwatsonfreebsd6_pwrite 208219131Srwatson 209219131Srwatson## 210219131Srwatson## Allow querying file and file system state with fstat(2) and fstatfs(2), 211219131Srwatson## subject to capability rights. 212219131Srwatson## 213219131Srwatsonfstat 214219131Srwatsonfstatfs 215219131Srwatson 216219131Srwatson## 217219131Srwatson## Allow further file descriptor-based I/O operations, subject to capability 218219131Srwatson## rights. 219219131Srwatson## 220219131Srwatsonfsync 221219131Srwatsonftruncate 222219131Srwatson 223219131Srwatson## 224219131Srwatson## Allow futimes(2), subject to capability rights. 225219131Srwatson## 226219131Srwatsonfutimes 227219131Srwatson 228219131Srwatson## 229219131Srwatson## Allow querying process audit state, subject to normal access control. 230219131Srwatson## 231219131Srwatsongetaudit 232219131Srwatsongetaudit_addr 233219131Srwatsongetauid 234219131Srwatson 235219131Srwatson## 236219131Srwatson## Allow thread context management with getcontext(2). 237219131Srwatson## 238219131Srwatsongetcontext 239219131Srwatson 240219131Srwatson## 241219131Srwatson## Allow directory I/O on a file descriptor, subject to capability rights. 242219131Srwatson## Originally we had separate capabilities for directory-specific read 243219131Srwatson## operations, but on BSD we allow reading the raw directory data, so we just 244247602Spjd## rely on CAP_READ now. 245219131Srwatson## 246219131Srwatsongetdents 247219131Srwatsongetdirentries 248219131Srwatson 249219131Srwatson## 250219131Srwatson## Allow querying certain trivial global state. 251219131Srwatson## 252219131Srwatsongetdomainname 253219131Srwatson 254219131Srwatson## 255219131Srwatson## Allow querying current process credential state. 256219131Srwatson## 257219131Srwatsongetegid 258219131Srwatsongeteuid 259219131Srwatson 260219131Srwatson## 261219131Srwatson## Allow querying certain trivial global state. 262219131Srwatson## 263219131Srwatsongethostid 264219131Srwatsongethostname 265219131Srwatson 266219131Srwatson## 267219131Srwatson## Allow querying per-process timer. 268219131Srwatson## 269219131Srwatsongetitimer 270219131Srwatson 271219131Srwatson## 272219131Srwatson## Allow querying current process credential state. 273219131Srwatson## 274219131Srwatsongetgid 275219131Srwatsongetgroups 276219131Srwatsongetlogin 277219131Srwatson 278219131Srwatson## 279219131Srwatson## Allow querying certain trivial global state. 280219131Srwatson## 281219131Srwatsongetpagesize 282219131Srwatsongetpeername 283219131Srwatson 284219131Srwatson## 285219131Srwatson## Allow querying certain per-process scheduling, resource limit, and 286219131Srwatson## credential state. 287219131Srwatson## 288219131Srwatson## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 289219131Srwatson## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 290219131Srwatson## getsid(2) needs scoping. 291219131Srwatson## 292219131Srwatsongetpgid 293219131Srwatsongetpgrp 294219131Srwatsongetpid 295219131Srwatsongetppid 296219131Srwatsongetpriority 297219131Srwatsongetresgid 298219131Srwatsongetresuid 299219131Srwatsongetrlimit 300219131Srwatsongetrusage 301219131Srwatsongetsid 302219131Srwatson 303219131Srwatson## 304219131Srwatson## Allow querying socket state, subject to capability rights. 305219131Srwatson## 306219131Srwatson## XXXRW: getsockopt(2) may need more attention. 307219131Srwatson## 308219131Srwatsongetsockname 309219131Srwatsongetsockopt 310219131Srwatson 311219131Srwatson## 312219131Srwatson## Allow querying the global clock. 313219131Srwatson## 314219131Srwatsongettimeofday 315219131Srwatson 316219131Srwatson## 317219131Srwatson## Allow querying current process credential state. 318219131Srwatson## 319219131Srwatsongetuid 320219131Srwatson 321219131Srwatson## 322247602Spjd## Allow ioctl(2), which hopefully will be limited by applications only to 323247602Spjd## required commands with cap_ioctls_limit(2) syscall. 324219131Srwatson## 325247602Spjdioctl 326219131Srwatson 327219131Srwatson## 328219131Srwatson## Allow querying current process credential state. 329219131Srwatson## 330219131Srwatsonissetugid 331219131Srwatson 332219131Srwatson## 333219131Srwatson## Allow kevent(2), as we will authorize based on capability rights on the 334219131Srwatson## target descriptor. 335219131Srwatson## 336219131Srwatsonkevent 337219131Srwatson 338219131Srwatson## 339243610Spjd## Allow kill(2), as we allow the process to send signals only to himself. 340243610Spjd## 341243610Spjdkill 342243610Spjd 343243610Spjd## 344219131Srwatson## Allow message queue operations on file descriptors, subject to capability 345219131Srwatson## rights. 346219131Srwatson## 347219131Srwatsonkmq_notify 348219131Srwatsonkmq_setattr 349219131Srwatsonkmq_timedreceive 350219131Srwatsonkmq_timedsend 351219131Srwatson 352219131Srwatson## 353219131Srwatson## Allow kqueue(2), we will control use. 354219131Srwatson## 355219131Srwatsonkqueue 356219131Srwatson 357219131Srwatson## 358219131Srwatson## Allow managing per-process timers. 359219131Srwatson## 360219131Srwatsonktimer_create 361219131Srwatsonktimer_delete 362219131Srwatsonktimer_getoverrun 363219131Srwatsonktimer_gettime 364219131Srwatsonktimer_settime 365219131Srwatson 366219131Srwatson## 367219131Srwatson## We can't allow ktrace(2) because it relies on a global namespace, but we 368219131Srwatson## might want to introduce an fktrace(2) of some sort. 369219131Srwatson## 370219131Srwatson#ktrace 371219131Srwatson 372219131Srwatson## 373219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 374219131Srwatson## 375219131Srwatsonlio_listio 376219131Srwatson 377219131Srwatson## 378219131Srwatson## Allow listen(2), subject to capability rights. 379219131Srwatson## 380219131Srwatson## XXXRW: One might argue this manipulates a global namespace. 381219131Srwatson## 382219131Srwatsonlisten 383219131Srwatson 384219131Srwatson## 385219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 386219131Srwatson## 387219131Srwatsonlseek 388219131Srwatson 389219131Srwatson## 390219131Srwatson## Allow MAC label operations by file descriptor, subject to capability 391219131Srwatson## rights. 392219131Srwatson## 393219131Srwatsonmac_get_fd 394219131Srwatsonmac_set_fd 395219131Srwatson 396219131Srwatson## 397219131Srwatson## Allow simple VM operations on the current process. 398219131Srwatson## 399219131Srwatsonmadvise 400219131Srwatsonmincore 401219131Srwatsonminherit 402219131Srwatsonmlock 403219131Srwatsonmlockall 404219131Srwatson 405219131Srwatson## 406219131Srwatson## Allow memory mapping a file descriptor, and updating protections, subject 407219131Srwatson## to capability rights. 408219131Srwatson## 409219131Srwatsonmmap 410219131Srwatsonmprotect 411219131Srwatson 412219131Srwatson## 413219131Srwatson## Allow simple VM operations on the current process. 414219131Srwatson## 415219131Srwatsonmsync 416219131Srwatsonmunlock 417219131Srwatsonmunlockall 418219131Srwatsonmunmap 419219131Srwatson 420219131Srwatson## 421219131Srwatson## Allow the current process to sleep. 422219131Srwatson## 423219131Srwatsonnanosleep 424219131Srwatson 425219131Srwatson## 426219131Srwatson## Allow querying the global clock. 427219131Srwatson## 428219131Srwatsonntp_gettime 429219131Srwatson 430219131Srwatson## 431219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 432219131Srwatson## 433219131Srwatsonoaio_read 434219131Srwatsonoaio_write 435219131Srwatson 436219131Srwatson## 437219131Srwatson## Allow simple VM operations on the current process. 438219131Srwatson## 439219131Srwatsonobreak 440219131Srwatson 441219131Srwatson## 442219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 443219131Srwatson## 444219131Srwatsonolio_listio 445219131Srwatson 446219131Srwatson## 447224812Sjonathan## Operations relative to directory capabilities. 448219131Srwatson## 449248599Spjdchflagsat 450224812Sjonathanfaccessat 451224812Sjonathanfchmodat 452236361Spjdfchownat 453248359Spjdfstatat 454224812Sjonathanfutimesat 455236361Spjdlinkat 456224812Sjonathanmkdirat 457224812Sjonathanmkfifoat 458224812Sjonathanmknodat 459224812Sjonathanopenat 460236361Spjdreadlinkat 461224812Sjonathanrenameat 462236361Spjdsymlinkat 463236361Spjdunlinkat 464219131Srwatson 465219131Srwatson## 466224812Sjonathan## Allow entry into open(2). This system call will fail, since access to the 467224812Sjonathan## global file namespace has been disallowed, but allowing entry into the 468224812Sjonathan## syscall means that an audit trail will be generated (which is also very 469224812Sjonathan## useful for debugging). 470219131Srwatson## 471224812Sjonathanopen 472219131Srwatson 473219131Srwatson## 474219131Srwatson## Allow poll(2), which will be scoped by capability rights. 475219131Srwatson## 476219131Srwatson## XXXRW: Perhaps we don't need the OpenBSD version? 477219131Srwatson## XXXRW: We don't yet do that scoping. 478219131Srwatson## 479219131Srwatsonopenbsd_poll 480219131Srwatson 481219131Srwatson## 482219131Srwatson## Process descriptor-related system calls are allowed. 483219131Srwatson## 484219131Srwatsonpdfork 485219131Srwatsonpdgetpid 486219131Srwatsonpdkill 487224987Sjonathan#pdwait4 # not yet implemented 488219131Srwatson 489219131Srwatson## 490219131Srwatson## Allow pipe(2). 491219131Srwatson## 492219131Srwatsonpipe 493219131Srwatson 494219131Srwatson## 495219131Srwatson## Allow poll(2), which will be scoped by capability rights. 496219131Srwatson## XXXRW: We don't yet do that scoping. 497219131Srwatson## 498219131Srwatsonpoll 499219131Srwatson 500219131Srwatson## 501219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 502219131Srwatson## 503219131Srwatsonpread 504219131Srwatsonpreadv 505219131Srwatson 506219131Srwatson## 507219131Srwatson## Allow access to profiling state on the current process. 508219131Srwatson## 509219131Srwatsonprofil 510219131Srwatson 511219131Srwatson## 512219131Srwatson## Disallow ptrace(2) for now, but we do need debugging facilities in 513219131Srwatson## capability mode, so we will want to revisit this, possibly by scoping its 514219131Srwatson## operation. 515219131Srwatson## 516219131Srwatson#ptrace 517219131Srwatson 518219131Srwatson## 519219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 520219131Srwatson## 521219131Srwatsonpwrite 522219131Srwatsonpwritev 523219131Srwatsonread 524219131Srwatsonreadv 525219131Srwatsonrecv 526219131Srwatsonrecvfrom 527219131Srwatsonrecvmsg 528219131Srwatson 529219131Srwatson## 530219131Srwatson## Allow real-time scheduling primitives to be used. 531219131Srwatson## 532219131Srwatson## XXXRW: These require scoping. 533219131Srwatson## 534219131Srwatsonrtprio 535219131Srwatsonrtprio_thread 536219131Srwatson 537219131Srwatson## 538219131Srwatson## Allow simple VM operations on the current process. 539219131Srwatson## 540219131Srwatsonsbrk 541219131Srwatson 542219131Srwatson## 543219131Srwatson## Allow querying trivial global scheduler state. 544219131Srwatson## 545219131Srwatsonsched_get_priority_max 546219131Srwatsonsched_get_priority_min 547219131Srwatson 548219131Srwatson## 549219131Srwatson## Allow various thread/process scheduler operations. 550219131Srwatson## 551219131Srwatson## XXXRW: Some of these require further scoping. 552219131Srwatson## 553219131Srwatsonsched_getparam 554219131Srwatsonsched_getscheduler 555219131Srwatsonsched_rr_getinterval 556219131Srwatsonsched_setparam 557219131Srwatsonsched_setscheduler 558219131Srwatsonsched_yield 559219131Srwatson 560219131Srwatson## 561219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 562219131Srwatson## 563219131Srwatsonsctp_generic_recvmsg 564219131Srwatsonsctp_generic_sendmsg 565219131Srwatsonsctp_generic_sendmsg_iov 566219131Srwatsonsctp_peeloff 567219131Srwatson 568219131Srwatson## 569219131Srwatson## Allow select(2), which will be scoped by capability rights. 570219131Srwatson## 571219131Srwatson## XXXRW: But is it? 572219131Srwatson## 573219131Srwatsonselect 574219131Srwatson 575219131Srwatson## 576219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. Use of 577219131Srwatson## explicit addresses here is restricted by the system calls themselves. 578219131Srwatson## 579219131Srwatsonsend 580219131Srwatsonsendfile 581219131Srwatsonsendmsg 582219131Srwatsonsendto 583219131Srwatson 584219131Srwatson## 585219131Srwatson## Allow setting per-process audit state, which is controlled separately by 586219131Srwatson## privileges. 587219131Srwatson## 588219131Srwatsonsetaudit 589219131Srwatsonsetaudit_addr 590219131Srwatsonsetauid 591219131Srwatson 592219131Srwatson## 593219131Srwatson## Allow setting thread context. 594219131Srwatson## 595219131Srwatsonsetcontext 596219131Srwatson 597219131Srwatson## 598219131Srwatson## Allow setting current process credential state, which is controlled 599219131Srwatson## separately by privilege. 600219131Srwatson## 601219131Srwatsonsetegid 602219131Srwatsonseteuid 603219131Srwatsonsetgid 604219131Srwatson 605219131Srwatson## 606219131Srwatson## Allow use of the process interval timer. 607219131Srwatson## 608219131Srwatsonsetitimer 609219131Srwatson 610219131Srwatson## 611219131Srwatson## Allow setpriority(2). 612219131Srwatson## 613219131Srwatson## XXXRW: Requires scoping. 614219131Srwatson## 615219131Srwatsonsetpriority 616219131Srwatson 617219131Srwatson## 618219131Srwatson## Allow setting current process credential state, which is controlled 619219131Srwatson## separately by privilege. 620219131Srwatson## 621219131Srwatsonsetregid 622219131Srwatsonsetresgid 623219131Srwatsonsetresuid 624219131Srwatsonsetreuid 625219131Srwatson 626219131Srwatson## 627219131Srwatson## Allow setting process resource limits with setrlimit(2). 628219131Srwatson## 629219131Srwatsonsetrlimit 630219131Srwatson 631219131Srwatson## 632219131Srwatson## Allow creating a new session with setsid(2). 633219131Srwatson## 634219131Srwatsonsetsid 635219131Srwatson 636219131Srwatson## 637219131Srwatson## Allow setting socket options with setsockopt(2), subject to capability 638219131Srwatson## rights. 639219131Srwatson## 640219131Srwatson## XXXRW: Might require scoping. 641219131Srwatson## 642219131Srwatsonsetsockopt 643219131Srwatson 644219131Srwatson## 645219131Srwatson## Allow setting current process credential state, which is controlled 646219131Srwatson## separately by privilege. 647219131Srwatson## 648219131Srwatsonsetuid 649219131Srwatson 650219131Srwatson## 651224812Sjonathan## shm_open(2) is scoped so as to allow only access to new anonymous objects. 652219131Srwatson## 653224812Sjonathanshm_open 654219131Srwatson 655219131Srwatson## 656219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 657219131Srwatson## 658219131Srwatsonshutdown 659219131Srwatson 660219131Srwatson## 661219131Srwatson## Allow signal control on current process. 662219131Srwatson## 663219131Srwatsonsigaction 664219131Srwatsonsigaltstack 665219131Srwatsonsigblock 666219131Srwatsonsigpending 667219131Srwatsonsigprocmask 668219131Srwatsonsigqueue 669219131Srwatsonsigreturn 670219131Srwatsonsigsetmask 671219131Srwatsonsigstack 672219131Srwatsonsigsuspend 673219131Srwatsonsigtimedwait 674219131Srwatsonsigvec 675219131Srwatsonsigwaitinfo 676219131Srwatson 677219131Srwatson## 678219131Srwatson## Allow creating new socket pairs with socket(2) and socketpair(2). 679219131Srwatson## 680219131Srwatsonsocket 681219131Srwatsonsocketpair 682219131Srwatson 683219131Srwatson## 684219131Srwatson## Allow simple VM operations on the current process. 685219131Srwatson## 686219131Srwatson## XXXRW: Kernel doesn't implement this, so drop? 687219131Srwatson## 688219131Srwatsonsstk 689219131Srwatson 690219131Srwatson## 691219131Srwatson## Do allow sync(2) for now, but possibly shouldn't. 692219131Srwatson## 693219131Srwatsonsync 694219131Srwatson 695219131Srwatson## 696219131Srwatson## Always allow process termination with sys_exit(2). 697219131Srwatson## 698219131Srwatsonsys_exit 699219131Srwatson 700219131Srwatson## 701219131Srwatson## sysarch(2) does rather diverse things, but is required on at least i386 702219131Srwatson## in order to configure per-thread data. As such, it's scoped on each 703219131Srwatson## architecture. 704219131Srwatson## 705219131Srwatsonsysarch 706219131Srwatson 707219131Srwatson## 708219131Srwatson## Allow thread operations operating only on current process. 709219131Srwatson## 710219131Srwatsonthr_create 711219131Srwatsonthr_exit 712219131Srwatsonthr_kill 713219131Srwatson 714219131Srwatson## 715219131Srwatson## Disallow thr_kill2(2), as it may operate beyond the current process. 716219131Srwatson## 717219131Srwatson## XXXRW: Requires scoping. 718219131Srwatson## 719219131Srwatson#thr_kill2 720219131Srwatson 721219131Srwatson## 722219131Srwatson## Allow thread operations operating only on current process. 723219131Srwatson## 724219131Srwatsonthr_new 725219131Srwatsonthr_self 726219131Srwatsonthr_set_name 727219131Srwatsonthr_suspend 728219131Srwatsonthr_wake 729219131Srwatson 730219131Srwatson## 731219131Srwatson## Allow manipulation of the current process umask with umask(2). 732219131Srwatson## 733219131Srwatsonumask 734219131Srwatson 735219131Srwatson## 736219131Srwatson## Allow submitting of process trace entries with utrace(2). 737219131Srwatson## 738219131Srwatsonutrace 739219131Srwatson 740219131Srwatson## 741219131Srwatson## Allow generating UUIDs with uuidgen(2). 742219131Srwatson## 743219131Srwatsonuuidgen 744219131Srwatson 745219131Srwatson## 746219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 747219131Srwatson## 748219131Srwatsonwrite 749219131Srwatsonwritev 750219131Srwatson 751219131Srwatson## 752219131Srwatson## Allow processes to yield(2). 753219131Srwatson## 754219131Srwatsonyield 755