capabilities.conf revision 283942
1178476Sjb## 2178476Sjb## Copyright (c) 2008-2010 Robert N. M. Watson 3178476Sjb## All rights reserved. 4178476Sjb## 5178476Sjb## This software was developed at the University of Cambridge Computer 6178476Sjb## Laboratory with support from a grant from Google, Inc. 7178476Sjb## 8178476Sjb## Redistribution and use in source and binary forms, with or without 9178476Sjb## modification, are permitted provided that the following conditions 10178476Sjb## are met: 11178476Sjb## 1. Redistributions of source code must retain the above copyright 12178476Sjb## notice, this list of conditions and the following disclaimer. 13178476Sjb## 2. Redistributions in binary form must reproduce the above copyright 14178476Sjb## notice, this list of conditions and the following disclaimer in the 15178476Sjb## documentation and/or other materials provided with the distribution. 16178476Sjb## 17178476Sjb## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18178476Sjb## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19178476Sjb## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20178476Sjb## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21178476Sjb## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22178476Sjb## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23178476Sjb## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24178476Sjb## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25178476Sjb## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26178476Sjb## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27178476Sjb## SUCH DAMAGE. 28178476Sjb## 29178476Sjb## List of system calls enabled in capability mode, one name per line. 30178476Sjb## 31178476Sjb## Notes: 32178476Sjb## - sys_exit(2), abort2(2) and close(2) are very important. 33178476Sjb## - Sorted alphabetically, please keep it that way. 34178476Sjb## 35178476Sjb## $FreeBSD: stable/10/sys/kern/capabilities.conf 283942 2015-06-03 13:10:25Z emaste $ 36178476Sjb## 37178476Sjb 38178476Sjb## 39178476Sjb## Allow ACL and MAC label operations by file descriptor, subject to 40178476Sjb## capability rights. Allow MAC label operations on the current process but 41178476Sjb## we will need to scope __mac_get_pid(2). 42178476Sjb## 43178476Sjb__acl_aclcheck_fd 44178476Sjb__acl_delete_fd 45178476Sjb__acl_get_fd 46178476Sjb__acl_set_fd 47178476Sjb__mac_get_fd 48178476Sjb#__mac_get_pid 49178476Sjb__mac_get_proc 50178476Sjb__mac_set_fd 51178476Sjb__mac_set_proc 52178534Sjb 53178534Sjb## 54178534Sjb## Allow sysctl(2) as we scope internal to the call; this is a global 55178534Sjb## namespace, but there are several critical sysctls required for almost 56178534Sjb## anything to run, such as hw.pagesize. For now that policy lives in the 57## kernel for performance and simplicity, but perhaps it could move to a 58## proxying daemon in userspace. 59## 60__sysctl 61 62## 63## Allow umtx operations as these are scoped by address space. 64## 65## XXRW: Need to check this very carefully. 66## 67_umtx_lock 68_umtx_op 69_umtx_unlock 70 71## 72## Allow process termination using abort2(2). 73## 74abort2 75 76## 77## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78## relies on existing bindings on a socket, subject to capability rights. 79## 80accept 81accept4 82 83## 84## Allow AIO operations by file descriptor, subject to capability rights. 85## 86aio_cancel 87aio_error 88aio_fsync 89aio_read 90aio_return 91aio_suspend 92aio_waitcomplete 93aio_write 94 95## 96## audit(2) is a global operation, submitting to the global trail, but it is 97## controlled by privilege, and it might be useful to be able to submit 98## records from sandboxes. For now, disallow, but we may want to think about 99## providing some sort of proxy service for this. 100## 101#audit 102 103## 104## Allow bindat(2). 105## 106bindat 107 108## 109## Allow capability mode and capability system calls. 110## 111cap_enter 112cap_fcntls_get 113cap_fcntls_limit 114cap_getmode 115cap_ioctls_get 116cap_ioctls_limit 117__cap_rights_get 118cap_rights_limit 119 120## 121## Allow read-only clock operations. 122## 123clock_getres 124clock_gettime 125 126## 127## Always allow file descriptor close(2). 128## 129close 130closefrom 131 132## 133## Allow connectat(2). 134## 135connectat 136 137## 138## cpuset(2) and related calls require scoping by process, but should 139## eventually be allowed, at least in the current process case. 140## 141#cpuset 142#cpuset_getaffinity 143#cpuset_getid 144#cpuset_setaffinity 145#cpuset_setid 146 147## 148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 149## 150dup 151dup2 152 153## 154## Allow extended attribute operations by file descriptor, subject to 155## capability rights. 156## 157extattr_delete_fd 158extattr_get_fd 159extattr_list_fd 160extattr_set_fd 161 162## 163## Allow changing file flags, mode, and owner by file descriptor, subject to 164## capability rights. 165## 166fchflags 167fchmod 168fchown 169 170## 171## For now, allow fcntl(2), subject to capability rights, but this probably 172## needs additional scoping. 173## 174fcntl 175 176## 177## Allow fexecve(2), subject to capability rights. We perform some scoping, 178## such as disallowing privilege escalation. 179## 180fexecve 181 182## 183## Allow flock(2), subject to capability rights. 184## 185flock 186 187## 188## Allow fork(2), even though it returns pids -- some applications seem to 189## prefer this interface. 190## 191fork 192 193## 194## Allow fpathconf(2), subject to capability rights. 195## 196fpathconf 197 198## 199## Allow various file descriptor-based I/O operations, subject to capability 200## rights. 201## 202freebsd6_ftruncate 203freebsd6_lseek 204freebsd6_mmap 205freebsd6_pread 206freebsd6_pwrite 207 208## 209## Allow querying file and file system state with fstat(2) and fstatfs(2), 210## subject to capability rights. 211## 212fstat 213fstatfs 214 215## 216## Allow further file descriptor-based I/O operations, subject to capability 217## rights. 218## 219fsync 220ftruncate 221 222## 223## Allow futimes(2), subject to capability rights. 224## 225futimes 226 227## 228## Allow querying process audit state, subject to normal access control. 229## 230getaudit 231getaudit_addr 232getauid 233 234## 235## Allow thread context management with getcontext(2). 236## 237getcontext 238 239## 240## Allow directory I/O on a file descriptor, subject to capability rights. 241## Originally we had separate capabilities for directory-specific read 242## operations, but on BSD we allow reading the raw directory data, so we just 243## rely on CAP_READ now. 244## 245getdents 246getdirentries 247 248## 249## Allow querying certain trivial global state. 250## 251getdomainname 252 253## 254## Allow querying current process credential state. 255## 256getegid 257geteuid 258 259## 260## Allow querying certain trivial global state. 261## 262gethostid 263gethostname 264 265## 266## Allow querying per-process timer. 267## 268getitimer 269 270## 271## Allow querying current process credential state. 272## 273getgid 274getgroups 275getlogin 276 277## 278## Allow querying certain trivial global state. 279## 280getpagesize 281getpeername 282 283## 284## Allow querying certain per-process scheduling, resource limit, and 285## credential state. 286## 287## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 288## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 289## getsid(2) needs scoping. 290## 291getpgid 292getpgrp 293getpid 294getppid 295getpriority 296getresgid 297getresuid 298getrlimit 299getrusage 300getsid 301 302## 303## Allow querying socket state, subject to capability rights. 304## 305## XXXRW: getsockopt(2) may need more attention. 306## 307getsockname 308getsockopt 309 310## 311## Allow querying the global clock. 312## 313gettimeofday 314 315## 316## Allow querying current process credential state. 317## 318getuid 319 320## 321## Allow ioctl(2), which hopefully will be limited by applications only to 322## required commands with cap_ioctls_limit(2) syscall. 323## 324ioctl 325 326## 327## Allow querying current process credential state. 328## 329issetugid 330 331## 332## Allow kevent(2), as we will authorize based on capability rights on the 333## target descriptor. 334## 335kevent 336 337## 338## Allow kill(2), as we allow the process to send signals only to himself. 339## 340kill 341 342## 343## Allow message queue operations on file descriptors, subject to capability 344## rights. 345## 346kmq_notify 347kmq_setattr 348kmq_timedreceive 349kmq_timedsend 350 351## 352## Allow kqueue(2), we will control use. 353## 354kqueue 355 356## 357## Allow managing per-process timers. 358## 359ktimer_create 360ktimer_delete 361ktimer_getoverrun 362ktimer_gettime 363ktimer_settime 364 365## 366## We can't allow ktrace(2) because it relies on a global namespace, but we 367## might want to introduce an fktrace(2) of some sort. 368## 369#ktrace 370 371## 372## Allow AIO operations by file descriptor, subject to capability rights. 373## 374lio_listio 375 376## 377## Allow listen(2), subject to capability rights. 378## 379## XXXRW: One might argue this manipulates a global namespace. 380## 381listen 382 383## 384## Allow I/O-related file descriptors, subject to capability rights. 385## 386lseek 387 388## 389## Allow simple VM operations on the current process. 390## 391madvise 392mincore 393minherit 394mlock 395mlockall 396 397## 398## Allow memory mapping a file descriptor, and updating protections, subject 399## to capability rights. 400## 401mmap 402mprotect 403 404## 405## Allow simple VM operations on the current process. 406## 407msync 408munlock 409munlockall 410munmap 411 412## 413## Allow the current process to sleep. 414## 415nanosleep 416 417## 418## Allow querying the global clock. 419## 420ntp_gettime 421 422## 423## Allow AIO operations by file descriptor, subject to capability rights. 424## 425oaio_read 426oaio_write 427 428## 429## Allow simple VM operations on the current process. 430## 431obreak 432 433## 434## Allow AIO operations by file descriptor, subject to capability rights. 435## 436olio_listio 437 438## 439## Operations relative to directory capabilities. 440## 441chflagsat 442faccessat 443fchmodat 444fchownat 445fstatat 446futimesat 447linkat 448mkdirat 449mkfifoat 450mknodat 451openat 452readlinkat 453renameat 454symlinkat 455unlinkat 456 457## 458## Allow entry into open(2). This system call will fail, since access to the 459## global file namespace has been disallowed, but allowing entry into the 460## syscall means that an audit trail will be generated (which is also very 461## useful for debugging). 462## 463open 464 465## 466## Allow poll(2), which will be scoped by capability rights. 467## 468## XXXRW: Perhaps we don't need the OpenBSD version? 469## XXXRW: We don't yet do that scoping. 470## 471openbsd_poll 472 473## 474## Process descriptor-related system calls are allowed. 475## 476pdfork 477pdgetpid 478pdkill 479#pdwait4 # not yet implemented 480 481## 482## Allow pipe(2). 483## 484pipe 485pipe2 486 487## 488## Allow poll(2), which will be scoped by capability rights. 489## XXXRW: We don't yet do that scoping. 490## 491poll 492 493## 494## Allow I/O-related file descriptors, subject to capability rights. 495## 496pread 497preadv 498 499## 500## Allow access to profiling state on the current process. 501## 502profil 503 504## 505## Disallow ptrace(2) for now, but we do need debugging facilities in 506## capability mode, so we will want to revisit this, possibly by scoping its 507## operation. 508## 509#ptrace 510 511## 512## Allow I/O-related file descriptors, subject to capability rights. 513## 514pwrite 515pwritev 516read 517readv 518recv 519recvfrom 520recvmsg 521 522## 523## Allow real-time scheduling primitives to be used. 524## 525## XXXRW: These require scoping. 526## 527rtprio 528rtprio_thread 529 530## 531## Allow simple VM operations on the current process. 532## 533sbrk 534 535## 536## Allow querying trivial global scheduler state. 537## 538sched_get_priority_max 539sched_get_priority_min 540 541## 542## Allow various thread/process scheduler operations. 543## 544## XXXRW: Some of these require further scoping. 545## 546sched_getparam 547sched_getscheduler 548sched_rr_get_interval 549sched_setparam 550sched_setscheduler 551sched_yield 552 553## 554## Allow I/O-related file descriptors, subject to capability rights. 555## 556sctp_generic_recvmsg 557sctp_generic_sendmsg 558sctp_generic_sendmsg_iov 559sctp_peeloff 560 561## 562## Allow pselect(2) and select(2), which will be scoped by capability rights. 563## 564## XXXRW: But is it? 565## 566pselect 567select 568 569## 570## Allow I/O-related file descriptors, subject to capability rights. Use of 571## explicit addresses here is restricted by the system calls themselves. 572## 573send 574sendfile 575sendmsg 576sendto 577 578## 579## Allow setting per-process audit state, which is controlled separately by 580## privileges. 581## 582setaudit 583setaudit_addr 584setauid 585 586## 587## Allow setting thread context. 588## 589setcontext 590 591## 592## Allow setting current process credential state, which is controlled 593## separately by privilege. 594## 595setegid 596seteuid 597setgid 598 599## 600## Allow use of the process interval timer. 601## 602setitimer 603 604## 605## Allow setpriority(2). 606## 607## XXXRW: Requires scoping. 608## 609setpriority 610 611## 612## Allow setting current process credential state, which is controlled 613## separately by privilege. 614## 615setregid 616setresgid 617setresuid 618setreuid 619 620## 621## Allow setting process resource limits with setrlimit(2). 622## 623setrlimit 624 625## 626## Allow creating a new session with setsid(2). 627## 628setsid 629 630## 631## Allow setting socket options with setsockopt(2), subject to capability 632## rights. 633## 634## XXXRW: Might require scoping. 635## 636setsockopt 637 638## 639## Allow setting current process credential state, which is controlled 640## separately by privilege. 641## 642setuid 643 644## 645## shm_open(2) is scoped so as to allow only access to new anonymous objects. 646## 647shm_open 648 649## 650## Allow I/O-related file descriptors, subject to capability rights. 651## 652shutdown 653 654## 655## Allow signal control on current process. 656## 657sigaction 658sigaltstack 659sigblock 660sigpending 661sigprocmask 662sigqueue 663sigreturn 664sigsetmask 665sigstack 666sigsuspend 667sigtimedwait 668sigvec 669sigwaitinfo 670 671## 672## Allow creating new socket pairs with socket(2) and socketpair(2). 673## 674socket 675socketpair 676 677## 678## Allow simple VM operations on the current process. 679## 680## XXXRW: Kernel doesn't implement this, so drop? 681## 682sstk 683 684## 685## Do allow sync(2) for now, but possibly shouldn't. 686## 687sync 688 689## 690## Always allow process termination with sys_exit(2). 691## 692sys_exit 693 694## 695## sysarch(2) does rather diverse things, but is required on at least i386 696## in order to configure per-thread data. As such, it's scoped on each 697## architecture. 698## 699sysarch 700 701## 702## Allow thread operations operating only on current process. 703## 704thr_create 705thr_exit 706thr_kill 707 708## 709## Disallow thr_kill2(2), as it may operate beyond the current process. 710## 711## XXXRW: Requires scoping. 712## 713#thr_kill2 714 715## 716## Allow thread operations operating only on current process. 717## 718thr_new 719thr_self 720thr_set_name 721thr_suspend 722thr_wake 723 724## 725## Allow manipulation of the current process umask with umask(2). 726## 727umask 728 729## 730## Allow submitting of process trace entries with utrace(2). 731## 732utrace 733 734## 735## Allow generating UUIDs with uuidgen(2). 736## 737uuidgen 738 739## 740## Allow I/O-related file descriptors, subject to capability rights. 741## 742write 743writev 744 745## 746## Allow processes to yield(2). 747## 748yield 749