capabilities.conf revision 283942 
1178476Sjb##
2178476Sjb## Copyright (c) 2008-2010 Robert N. M. Watson
3178476Sjb## All rights reserved.
4178476Sjb##
5178476Sjb## This software was developed at the University of Cambridge Computer
6178476Sjb## Laboratory with support from a grant from Google, Inc.
7178476Sjb##
8178476Sjb## Redistribution and use in source and binary forms, with or without
9178476Sjb## modification, are permitted provided that the following conditions
10178476Sjb## are met:
11178476Sjb## 1. Redistributions of source code must retain the above copyright
12178476Sjb##    notice, this list of conditions and the following disclaimer.
13178476Sjb## 2. Redistributions in binary form must reproduce the above copyright
14178476Sjb##    notice, this list of conditions and the following disclaimer in the
15178476Sjb##    documentation and/or other materials provided with the distribution.
16178476Sjb##
17178476Sjb## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18178476Sjb## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19178476Sjb## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20178476Sjb## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21178476Sjb## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22178476Sjb## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23178476Sjb## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24178476Sjb## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25178476Sjb## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26178476Sjb## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27178476Sjb## SUCH DAMAGE.
28178476Sjb##
29178476Sjb## List of system calls enabled in capability mode, one name per line.
30178476Sjb##
31178476Sjb## Notes:
32178476Sjb## - sys_exit(2), abort2(2) and close(2) are very important.
33178476Sjb## - Sorted alphabetically, please keep it that way.
34178476Sjb##
35178476Sjb## $FreeBSD: stable/10/sys/kern/capabilities.conf 283942 2015-06-03 13:10:25Z emaste $
36178476Sjb##
37178476Sjb
38178476Sjb##
39178476Sjb## Allow ACL and MAC label operations by file descriptor, subject to
40178476Sjb## capability rights.  Allow MAC label operations on the current process but
41178476Sjb## we will need to scope __mac_get_pid(2).
42178476Sjb##
43178476Sjb__acl_aclcheck_fd
44178476Sjb__acl_delete_fd
45178476Sjb__acl_get_fd
46178476Sjb__acl_set_fd
47178476Sjb__mac_get_fd
48178476Sjb#__mac_get_pid
49178476Sjb__mac_get_proc
50178476Sjb__mac_set_fd
51178476Sjb__mac_set_proc
52178534Sjb
53178534Sjb##
54178534Sjb## Allow sysctl(2) as we scope internal to the call; this is a global
55178534Sjb## namespace, but there are several critical sysctls required for almost
56178534Sjb## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_lock
68_umtx_op
69_umtx_unlock
70
71##
72## Allow process termination using abort2(2).
73##
74abort2
75
76##
77## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78## relies on existing bindings on a socket, subject to capability rights.
79##
80accept
81accept4
82
83##
84## Allow AIO operations by file descriptor, subject to capability rights.
85##
86aio_cancel
87aio_error
88aio_fsync
89aio_read
90aio_return
91aio_suspend
92aio_waitcomplete
93aio_write
94
95##
96## audit(2) is a global operation, submitting to the global trail, but it is
97## controlled by privilege, and it might be useful to be able to submit
98## records from sandboxes.  For now, disallow, but we may want to think about
99## providing some sort of proxy service for this.
100##
101#audit
102
103##
104## Allow bindat(2).
105##
106bindat
107
108##
109## Allow capability mode and capability system calls.
110##
111cap_enter
112cap_fcntls_get
113cap_fcntls_limit
114cap_getmode
115cap_ioctls_get
116cap_ioctls_limit
117__cap_rights_get
118cap_rights_limit
119
120##
121## Allow read-only clock operations.
122##
123clock_getres
124clock_gettime
125
126##
127## Always allow file descriptor close(2).
128##
129close
130closefrom
131
132##
133## Allow connectat(2).
134##
135connectat
136
137##
138## cpuset(2) and related calls require scoping by process, but should
139## eventually be allowed, at least in the current process case.
140##
141#cpuset
142#cpuset_getaffinity
143#cpuset_getid
144#cpuset_setaffinity
145#cpuset_setid
146
147##
148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
149##
150dup
151dup2
152
153##
154## Allow extended attribute operations by file descriptor, subject to
155## capability rights.
156##
157extattr_delete_fd
158extattr_get_fd
159extattr_list_fd
160extattr_set_fd
161
162##
163## Allow changing file flags, mode, and owner by file descriptor, subject to
164## capability rights.
165##
166fchflags
167fchmod
168fchown
169
170##
171## For now, allow fcntl(2), subject to capability rights, but this probably
172## needs additional scoping.
173##
174fcntl
175
176##
177## Allow fexecve(2), subject to capability rights.  We perform some scoping,
178## such as disallowing privilege escalation.
179##
180fexecve
181
182##
183## Allow flock(2), subject to capability rights.
184##
185flock
186
187##
188## Allow fork(2), even though it returns pids -- some applications seem to
189## prefer this interface.
190##
191fork
192
193##
194## Allow fpathconf(2), subject to capability rights.
195##
196fpathconf
197
198##
199## Allow various file descriptor-based I/O operations, subject to capability
200## rights.
201##
202freebsd6_ftruncate
203freebsd6_lseek
204freebsd6_mmap
205freebsd6_pread
206freebsd6_pwrite
207
208##
209## Allow querying file and file system state with fstat(2) and fstatfs(2),
210## subject to capability rights.
211##
212fstat
213fstatfs
214
215##
216## Allow further file descriptor-based I/O operations, subject to capability
217## rights.
218##
219fsync
220ftruncate
221
222##
223## Allow futimes(2), subject to capability rights.
224##
225futimes
226
227##
228## Allow querying process audit state, subject to normal access control.
229##
230getaudit
231getaudit_addr
232getauid
233
234##
235## Allow thread context management with getcontext(2).
236##
237getcontext
238
239##
240## Allow directory I/O on a file descriptor, subject to capability rights.
241## Originally we had separate capabilities for directory-specific read
242## operations, but on BSD we allow reading the raw directory data, so we just
243## rely on CAP_READ now.
244##
245getdents
246getdirentries
247
248##
249## Allow querying certain trivial global state.
250##
251getdomainname
252
253##
254## Allow querying current process credential state.
255##
256getegid
257geteuid
258
259##
260## Allow querying certain trivial global state.
261##
262gethostid
263gethostname
264
265##
266## Allow querying per-process timer.
267##
268getitimer
269
270##
271## Allow querying current process credential state.
272##
273getgid
274getgroups
275getlogin
276
277##
278## Allow querying certain trivial global state.
279##
280getpagesize
281getpeername
282
283##
284## Allow querying certain per-process scheduling, resource limit, and
285## credential state.
286##
287## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
288## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
289## getsid(2) needs scoping.
290##
291getpgid
292getpgrp
293getpid
294getppid
295getpriority
296getresgid
297getresuid
298getrlimit
299getrusage
300getsid
301
302##
303## Allow querying socket state, subject to capability rights.
304##
305## XXXRW: getsockopt(2) may need more attention.
306##
307getsockname
308getsockopt
309
310##
311## Allow querying the global clock.
312##
313gettimeofday
314
315##
316## Allow querying current process credential state.
317##
318getuid
319
320##
321## Allow ioctl(2), which hopefully will be limited by applications only to
322## required commands with cap_ioctls_limit(2) syscall.
323##
324ioctl
325
326##
327## Allow querying current process credential state.
328##
329issetugid
330
331##
332## Allow kevent(2), as we will authorize based on capability rights on the
333## target descriptor.
334##
335kevent
336
337##
338## Allow kill(2), as we allow the process to send signals only to himself.
339##
340kill
341
342##
343## Allow message queue operations on file descriptors, subject to capability
344## rights.
345##
346kmq_notify
347kmq_setattr
348kmq_timedreceive
349kmq_timedsend
350
351##
352## Allow kqueue(2), we will control use.
353##
354kqueue
355
356##
357## Allow managing per-process timers.
358##
359ktimer_create
360ktimer_delete
361ktimer_getoverrun
362ktimer_gettime
363ktimer_settime
364
365##
366## We can't allow ktrace(2) because it relies on a global namespace, but we
367## might want to introduce an fktrace(2) of some sort.
368##
369#ktrace
370
371##
372## Allow AIO operations by file descriptor, subject to capability rights.
373##
374lio_listio
375
376##
377## Allow listen(2), subject to capability rights.
378##
379## XXXRW: One might argue this manipulates a global namespace.
380##
381listen
382
383##
384## Allow I/O-related file descriptors, subject to capability rights.
385##
386lseek
387
388##
389## Allow simple VM operations on the current process.
390##
391madvise
392mincore
393minherit
394mlock
395mlockall
396
397##
398## Allow memory mapping a file descriptor, and updating protections, subject
399## to capability rights.
400##
401mmap
402mprotect
403
404##
405## Allow simple VM operations on the current process.
406##
407msync
408munlock
409munlockall
410munmap
411
412##
413## Allow the current process to sleep.
414##
415nanosleep
416
417##
418## Allow querying the global clock.
419##
420ntp_gettime
421
422##
423## Allow AIO operations by file descriptor, subject to capability rights.
424##
425oaio_read
426oaio_write
427
428##
429## Allow simple VM operations on the current process.
430##
431obreak
432
433##
434## Allow AIO operations by file descriptor, subject to capability rights.
435##
436olio_listio
437
438##
439## Operations relative to directory capabilities.
440##
441chflagsat
442faccessat
443fchmodat
444fchownat
445fstatat
446futimesat
447linkat
448mkdirat
449mkfifoat
450mknodat
451openat
452readlinkat
453renameat
454symlinkat
455unlinkat
456
457##
458## Allow entry into open(2). This system call will fail, since access to the
459## global file namespace has been disallowed, but allowing entry into the
460## syscall means that an audit trail will be generated (which is also very
461## useful for debugging).
462##
463open
464
465##
466## Allow poll(2), which will be scoped by capability rights.
467##
468## XXXRW: Perhaps we don't need the OpenBSD version?
469## XXXRW: We don't yet do that scoping.
470##
471openbsd_poll
472
473##
474## Process descriptor-related system calls are allowed.
475##
476pdfork
477pdgetpid
478pdkill
479#pdwait4	# not yet implemented
480
481##
482## Allow pipe(2).
483##
484pipe
485pipe2
486
487##
488## Allow poll(2), which will be scoped by capability rights.
489## XXXRW: We don't yet do that scoping.
490##
491poll
492
493##
494## Allow I/O-related file descriptors, subject to capability rights.
495##
496pread
497preadv
498
499##
500## Allow access to profiling state on the current process.
501##
502profil
503
504##
505## Disallow ptrace(2) for now, but we do need debugging facilities in
506## capability mode, so we will want to revisit this, possibly by scoping its
507## operation.
508##
509#ptrace
510
511##
512## Allow I/O-related file descriptors, subject to capability rights.
513##
514pwrite
515pwritev
516read
517readv
518recv
519recvfrom
520recvmsg
521
522##
523## Allow real-time scheduling primitives to be used.
524##
525## XXXRW: These require scoping.
526##
527rtprio
528rtprio_thread
529
530##
531## Allow simple VM operations on the current process.
532##
533sbrk
534
535##
536## Allow querying trivial global scheduler state.
537##
538sched_get_priority_max
539sched_get_priority_min
540
541##
542## Allow various thread/process scheduler operations.
543##
544## XXXRW: Some of these require further scoping.
545##
546sched_getparam
547sched_getscheduler
548sched_rr_get_interval
549sched_setparam
550sched_setscheduler
551sched_yield
552
553##
554## Allow I/O-related file descriptors, subject to capability rights.
555##
556sctp_generic_recvmsg
557sctp_generic_sendmsg
558sctp_generic_sendmsg_iov
559sctp_peeloff
560
561##
562## Allow pselect(2) and select(2), which will be scoped by capability rights.
563##
564## XXXRW: But is it?
565##
566pselect
567select
568
569##
570## Allow I/O-related file descriptors, subject to capability rights.  Use of
571## explicit addresses here is restricted by the system calls themselves.
572##
573send
574sendfile
575sendmsg
576sendto
577
578##
579## Allow setting per-process audit state, which is controlled separately by
580## privileges.
581##
582setaudit
583setaudit_addr
584setauid
585
586##
587## Allow setting thread context.
588##
589setcontext
590
591##
592## Allow setting current process credential state, which is controlled
593## separately by privilege.
594##
595setegid
596seteuid
597setgid
598
599##
600## Allow use of the process interval timer.
601##
602setitimer
603
604##
605## Allow setpriority(2).
606##
607## XXXRW: Requires scoping.
608##
609setpriority
610
611##
612## Allow setting current process credential state, which is controlled
613## separately by privilege.
614##
615setregid
616setresgid
617setresuid
618setreuid
619
620##
621## Allow setting process resource limits with setrlimit(2).
622##
623setrlimit
624
625##
626## Allow creating a new session with setsid(2).
627##
628setsid
629
630##
631## Allow setting socket options with setsockopt(2), subject to capability
632## rights.
633##
634## XXXRW: Might require scoping.
635##
636setsockopt
637
638##
639## Allow setting current process credential state, which is controlled
640## separately by privilege.
641##
642setuid
643
644##
645## shm_open(2) is scoped so as to allow only access to new anonymous objects.
646##
647shm_open
648
649##
650## Allow I/O-related file descriptors, subject to capability rights.
651##
652shutdown
653
654##
655## Allow signal control on current process.
656##
657sigaction
658sigaltstack
659sigblock
660sigpending
661sigprocmask
662sigqueue
663sigreturn
664sigsetmask
665sigstack
666sigsuspend
667sigtimedwait
668sigvec
669sigwaitinfo
670
671##
672## Allow creating new socket pairs with socket(2) and socketpair(2).
673##
674socket
675socketpair
676
677##
678## Allow simple VM operations on the current process.
679##
680## XXXRW: Kernel doesn't implement this, so drop?
681##
682sstk
683
684##
685## Do allow sync(2) for now, but possibly shouldn't.
686##
687sync
688
689##
690## Always allow process termination with sys_exit(2).
691##
692sys_exit
693
694##
695## sysarch(2) does rather diverse things, but is required on at least i386
696## in order to configure per-thread data.  As such, it's scoped on each
697## architecture.
698##
699sysarch
700
701##
702## Allow thread operations operating only on current process.
703##
704thr_create
705thr_exit
706thr_kill
707
708##
709## Disallow thr_kill2(2), as it may operate beyond the current process.
710##
711## XXXRW: Requires scoping.
712##
713#thr_kill2
714
715##
716## Allow thread operations operating only on current process.
717##
718thr_new
719thr_self
720thr_set_name
721thr_suspend
722thr_wake
723
724##
725## Allow manipulation of the current process umask with umask(2).
726##
727umask
728
729##
730## Allow submitting of process trace entries with utrace(2).
731##
732utrace
733
734##
735## Allow generating UUIDs with uuidgen(2).
736##
737uuidgen
738
739##
740## Allow I/O-related file descriptors, subject to capability rights.
741##
742write
743writev
744
745##
746## Allow processes to yield(2).
747##
748yield
749