capabilities.conf revision 283940 
1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## Notes:
32## - sys_exit(2), abort2(2) and close(2) are very important.
33## - Sorted alphabetically, please keep it that way.
34##
35## $FreeBSD: stable/10/sys/kern/capabilities.conf 283940 2015-06-03 11:36:47Z emaste $
36##
37
38##
39## Allow ACL and MAC label operations by file descriptor, subject to
40## capability rights.  Allow MAC label operations on the current process but
41## we will need to scope __mac_get_pid(2).
42##
43__acl_aclcheck_fd
44__acl_delete_fd
45__acl_get_fd
46__acl_set_fd
47__mac_get_fd
48#__mac_get_pid
49__mac_get_proc
50__mac_set_fd
51__mac_set_proc
52
53##
54## Allow sysctl(2) as we scope internal to the call; this is a global
55## namespace, but there are several critical sysctls required for almost
56## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_lock
68_umtx_op
69_umtx_unlock
70
71##
72## Allow process termination using abort2(2).
73##
74abort2
75
76##
77## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78## relies on existing bindings on a socket, subject to capability rights.
79##
80accept
81accept4
82
83##
84## Allow AIO operations by file descriptor, subject to capability rights.
85##
86aio_cancel
87aio_error
88aio_fsync
89aio_read
90aio_return
91aio_suspend
92aio_waitcomplete
93aio_write
94
95##
96## audit(2) is a global operation, submitting to the global trail, but it is
97## controlled by privilege, and it might be useful to be able to submit
98## records from sandboxes.  For now, disallow, but we may want to think about
99## providing some sort of proxy service for this.
100##
101#audit
102
103##
104## Allow bindat(2).
105##
106bindat
107
108##
109## Allow capability mode and capability system calls.
110##
111cap_enter
112cap_fcntls_get
113cap_fcntls_limit
114cap_getmode
115cap_ioctls_get
116cap_ioctls_limit
117__cap_rights_get
118cap_rights_limit
119
120##
121## Allow read-only clock operations.
122##
123clock_getres
124clock_gettime
125
126##
127## Always allow file descriptor close(2).
128##
129close
130closefrom
131
132##
133## Allow connectat(2).
134##
135connectat
136
137##
138## cpuset(2) and related calls require scoping by process, but should
139## eventually be allowed, at least in the current process case.
140##
141#cpuset
142#cpuset_getaffinity
143#cpuset_getid
144#cpuset_setaffinity
145#cpuset_setid
146
147##
148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
149##
150dup
151dup2
152
153##
154## Allow extended attribute operations by file descriptor, subject to
155## capability rights.
156##
157extattr_delete_fd
158extattr_get_fd
159extattr_list_fd
160extattr_set_fd
161
162##
163## Allow changing file flags, mode, and owner by file descriptor, subject to
164## capability rights.
165##
166fchflags
167fchmod
168fchown
169
170##
171## For now, allow fcntl(2), subject to capability rights, but this probably
172## needs additional scoping.
173##
174fcntl
175
176##
177## Allow fexecve(2), subject to capability rights.  We perform some scoping,
178## such as disallowing privilege escalation.
179##
180fexecve
181
182##
183## Allow flock(2), subject to capability rights.
184##
185flock
186
187##
188## Allow fork(2), even though it returns pids -- some applications seem to
189## prefer this interface.
190##
191fork
192
193##
194## Allow fpathconf(2), subject to capability rights.
195##
196fpathconf
197
198##
199## Allow various file descriptor-based I/O operations, subject to capability
200## rights.
201##
202freebsd6_ftruncate
203freebsd6_lseek
204freebsd6_mmap
205freebsd6_pread
206freebsd6_pwrite
207
208##
209## Allow querying file and file system state with fstat(2) and fstatfs(2),
210## subject to capability rights.
211##
212fstat
213fstatfs
214
215##
216## Allow further file descriptor-based I/O operations, subject to capability
217## rights.
218##
219fsync
220ftruncate
221
222##
223## Allow futimes(2), subject to capability rights.
224##
225futimes
226
227##
228## Allow querying process audit state, subject to normal access control.
229##
230getaudit
231getaudit_addr
232getauid
233
234##
235## Allow thread context management with getcontext(2).
236##
237getcontext
238
239##
240## Allow directory I/O on a file descriptor, subject to capability rights.
241## Originally we had separate capabilities for directory-specific read
242## operations, but on BSD we allow reading the raw directory data, so we just
243## rely on CAP_READ now.
244##
245getdents
246getdirentries
247
248##
249## Allow querying certain trivial global state.
250##
251getdomainname
252
253##
254## Allow querying current process credential state.
255##
256getegid
257geteuid
258
259##
260## Allow querying certain trivial global state.
261##
262gethostid
263gethostname
264
265##
266## Allow querying per-process timer.
267##
268getitimer
269
270##
271## Allow querying current process credential state.
272##
273getgid
274getgroups
275getlogin
276
277##
278## Allow querying certain trivial global state.
279##
280getpagesize
281getpeername
282
283##
284## Allow querying certain per-process scheduling, resource limit, and
285## credential state.
286##
287## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
288## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
289## getsid(2) needs scoping.
290##
291getpgid
292getpgrp
293getpid
294getppid
295getpriority
296getresgid
297getresuid
298getrlimit
299getrusage
300getsid
301
302##
303## Allow querying socket state, subject to capability rights.
304##
305## XXXRW: getsockopt(2) may need more attention.
306##
307getsockname
308getsockopt
309
310##
311## Allow querying the global clock.
312##
313gettimeofday
314
315##
316## Allow querying current process credential state.
317##
318getuid
319
320##
321## Allow ioctl(2), which hopefully will be limited by applications only to
322## required commands with cap_ioctls_limit(2) syscall.
323##
324ioctl
325
326##
327## Allow querying current process credential state.
328##
329issetugid
330
331##
332## Allow kevent(2), as we will authorize based on capability rights on the
333## target descriptor.
334##
335kevent
336
337##
338## Allow kill(2), as we allow the process to send signals only to himself.
339##
340kill
341
342##
343## Allow message queue operations on file descriptors, subject to capability
344## rights.
345##
346kmq_notify
347kmq_setattr
348kmq_timedreceive
349kmq_timedsend
350
351##
352## Allow kqueue(2), we will control use.
353##
354kqueue
355
356##
357## Allow managing per-process timers.
358##
359ktimer_create
360ktimer_delete
361ktimer_getoverrun
362ktimer_gettime
363ktimer_settime
364
365##
366## We can't allow ktrace(2) because it relies on a global namespace, but we
367## might want to introduce an fktrace(2) of some sort.
368##
369#ktrace
370
371##
372## Allow AIO operations by file descriptor, subject to capability rights.
373##
374lio_listio
375
376##
377## Allow listen(2), subject to capability rights.
378##
379## XXXRW: One might argue this manipulates a global namespace.
380##
381listen
382
383##
384## Allow I/O-related file descriptors, subject to capability rights.
385##
386lseek
387
388##
389## Allow simple VM operations on the current process.
390##
391madvise
392mincore
393minherit
394mlock
395mlockall
396
397##
398## Allow memory mapping a file descriptor, and updating protections, subject
399## to capability rights.
400##
401mmap
402mprotect
403
404##
405## Allow simple VM operations on the current process.
406##
407msync
408munlock
409munlockall
410munmap
411
412##
413## Allow the current process to sleep.
414##
415nanosleep
416
417##
418## Allow querying the global clock.
419##
420ntp_gettime
421
422##
423## Allow AIO operations by file descriptor, subject to capability rights.
424##
425oaio_read
426oaio_write
427
428##
429## Allow simple VM operations on the current process.
430##
431obreak
432
433##
434## Allow AIO operations by file descriptor, subject to capability rights.
435##
436olio_listio
437
438##
439## Operations relative to directory capabilities.
440##
441chflagsat
442faccessat
443fchmodat
444fchownat
445fstatat
446futimesat
447linkat
448mkdirat
449mkfifoat
450mknodat
451openat
452readlinkat
453renameat
454symlinkat
455unlinkat
456
457##
458## Allow entry into open(2). This system call will fail, since access to the
459## global file namespace has been disallowed, but allowing entry into the
460## syscall means that an audit trail will be generated (which is also very
461## useful for debugging).
462##
463open
464
465##
466## Allow poll(2), which will be scoped by capability rights.
467##
468## XXXRW: Perhaps we don't need the OpenBSD version?
469## XXXRW: We don't yet do that scoping.
470##
471openbsd_poll
472
473##
474## Process descriptor-related system calls are allowed.
475##
476pdfork
477pdgetpid
478pdkill
479#pdwait4	# not yet implemented
480
481##
482## Allow pipe(2).
483##
484pipe
485pipe2
486
487##
488## Allow poll(2), which will be scoped by capability rights.
489## XXXRW: We don't yet do that scoping.
490##
491poll
492
493##
494## Allow I/O-related file descriptors, subject to capability rights.
495##
496pread
497preadv
498
499##
500## Allow access to profiling state on the current process.
501##
502profil
503
504##
505## Disallow ptrace(2) for now, but we do need debugging facilities in
506## capability mode, so we will want to revisit this, possibly by scoping its
507## operation.
508##
509#ptrace
510
511##
512## Allow I/O-related file descriptors, subject to capability rights.
513##
514pwrite
515pwritev
516read
517readv
518recv
519recvfrom
520recvmsg
521
522##
523## Allow real-time scheduling primitives to be used.
524##
525## XXXRW: These require scoping.
526##
527rtprio
528rtprio_thread
529
530##
531## Allow simple VM operations on the current process.
532##
533sbrk
534
535##
536## Allow querying trivial global scheduler state.
537##
538sched_get_priority_max
539sched_get_priority_min
540
541##
542## Allow various thread/process scheduler operations.
543##
544## XXXRW: Some of these require further scoping.
545##
546sched_getparam
547sched_getscheduler
548sched_rr_get_interval
549sched_setparam
550sched_setscheduler
551sched_yield
552
553##
554## Allow I/O-related file descriptors, subject to capability rights.
555##
556sctp_generic_recvmsg
557sctp_generic_sendmsg
558sctp_generic_sendmsg_iov
559sctp_peeloff
560
561##
562## Allow select(2), which will be scoped by capability rights.
563##
564## XXXRW: But is it?
565##
566select
567
568##
569## Allow I/O-related file descriptors, subject to capability rights.  Use of
570## explicit addresses here is restricted by the system calls themselves.
571##
572send
573sendfile
574sendmsg
575sendto
576
577##
578## Allow setting per-process audit state, which is controlled separately by
579## privileges.
580##
581setaudit
582setaudit_addr
583setauid
584
585##
586## Allow setting thread context.
587##
588setcontext
589
590##
591## Allow setting current process credential state, which is controlled
592## separately by privilege.
593##
594setegid
595seteuid
596setgid
597
598##
599## Allow use of the process interval timer.
600##
601setitimer
602
603##
604## Allow setpriority(2).
605##
606## XXXRW: Requires scoping.
607##
608setpriority
609
610##
611## Allow setting current process credential state, which is controlled
612## separately by privilege.
613##
614setregid
615setresgid
616setresuid
617setreuid
618
619##
620## Allow setting process resource limits with setrlimit(2).
621##
622setrlimit
623
624##
625## Allow creating a new session with setsid(2).
626##
627setsid
628
629##
630## Allow setting socket options with setsockopt(2), subject to capability
631## rights.
632##
633## XXXRW: Might require scoping.
634##
635setsockopt
636
637##
638## Allow setting current process credential state, which is controlled
639## separately by privilege.
640##
641setuid
642
643##
644## shm_open(2) is scoped so as to allow only access to new anonymous objects.
645##
646shm_open
647
648##
649## Allow I/O-related file descriptors, subject to capability rights.
650##
651shutdown
652
653##
654## Allow signal control on current process.
655##
656sigaction
657sigaltstack
658sigblock
659sigpending
660sigprocmask
661sigqueue
662sigreturn
663sigsetmask
664sigstack
665sigsuspend
666sigtimedwait
667sigvec
668sigwaitinfo
669
670##
671## Allow creating new socket pairs with socket(2) and socketpair(2).
672##
673socket
674socketpair
675
676##
677## Allow simple VM operations on the current process.
678##
679## XXXRW: Kernel doesn't implement this, so drop?
680##
681sstk
682
683##
684## Do allow sync(2) for now, but possibly shouldn't.
685##
686sync
687
688##
689## Always allow process termination with sys_exit(2).
690##
691sys_exit
692
693##
694## sysarch(2) does rather diverse things, but is required on at least i386
695## in order to configure per-thread data.  As such, it's scoped on each
696## architecture.
697##
698sysarch
699
700##
701## Allow thread operations operating only on current process.
702##
703thr_create
704thr_exit
705thr_kill
706
707##
708## Disallow thr_kill2(2), as it may operate beyond the current process.
709##
710## XXXRW: Requires scoping.
711##
712#thr_kill2
713
714##
715## Allow thread operations operating only on current process.
716##
717thr_new
718thr_self
719thr_set_name
720thr_suspend
721thr_wake
722
723##
724## Allow manipulation of the current process umask with umask(2).
725##
726umask
727
728##
729## Allow submitting of process trace entries with utrace(2).
730##
731utrace
732
733##
734## Allow generating UUIDs with uuidgen(2).
735##
736uuidgen
737
738##
739## Allow I/O-related file descriptors, subject to capability rights.
740##
741write
742writev
743
744##
745## Allow processes to yield(2).
746##
747yield
748