1219131Srwatson## 2219131Srwatson## Copyright (c) 2008-2010 Robert N. M. Watson 3219131Srwatson## All rights reserved. 4219131Srwatson## 5219131Srwatson## This software was developed at the University of Cambridge Computer 6219131Srwatson## Laboratory with support from a grant from Google, Inc. 7219131Srwatson## 8219131Srwatson## Redistribution and use in source and binary forms, with or without 9219131Srwatson## modification, are permitted provided that the following conditions 10219131Srwatson## are met: 11219131Srwatson## 1. Redistributions of source code must retain the above copyright 12219131Srwatson## notice, this list of conditions and the following disclaimer. 13219131Srwatson## 2. Redistributions in binary form must reproduce the above copyright 14219131Srwatson## notice, this list of conditions and the following disclaimer in the 15219131Srwatson## documentation and/or other materials provided with the distribution. 16219131Srwatson## 17219131Srwatson## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18219131Srwatson## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19219131Srwatson## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20219131Srwatson## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21219131Srwatson## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22219131Srwatson## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23219131Srwatson## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24219131Srwatson## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25219131Srwatson## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26219131Srwatson## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27219131Srwatson## SUCH DAMAGE. 28219131Srwatson## 29219131Srwatson## List of system calls enabled in capability mode, one name per line. 30219131Srwatson## 31219131Srwatson## Notes: 32219131Srwatson## - sys_exit(2), abort2(2) and close(2) are very important. 33219131Srwatson## - Sorted alphabetically, please keep it that way. 34219131Srwatson## 35219131Srwatson## $FreeBSD: stable/11/sys/kern/capabilities.conf 331679 2018-03-28 14:39:56Z emaste $ 36219131Srwatson## 37219131Srwatson 38219131Srwatson## 39219131Srwatson## Allow ACL and MAC label operations by file descriptor, subject to 40219131Srwatson## capability rights. Allow MAC label operations on the current process but 41219131Srwatson## we will need to scope __mac_get_pid(2). 42219131Srwatson## 43219131Srwatson__acl_aclcheck_fd 44219131Srwatson__acl_delete_fd 45219131Srwatson__acl_get_fd 46219131Srwatson__acl_set_fd 47219131Srwatson__mac_get_fd 48219131Srwatson#__mac_get_pid 49219131Srwatson__mac_get_proc 50219131Srwatson__mac_set_fd 51219131Srwatson__mac_set_proc 52219131Srwatson 53219131Srwatson## 54219131Srwatson## Allow sysctl(2) as we scope internal to the call; this is a global 55219131Srwatson## namespace, but there are several critical sysctls required for almost 56219131Srwatson## anything to run, such as hw.pagesize. For now that policy lives in the 57219131Srwatson## kernel for performance and simplicity, but perhaps it could move to a 58219131Srwatson## proxying daemon in userspace. 59219131Srwatson## 60219131Srwatson__sysctl 61219131Srwatson 62219131Srwatson## 63219131Srwatson## Allow umtx operations as these are scoped by address space. 64219131Srwatson## 65219131Srwatson## XXRW: Need to check this very carefully. 66219131Srwatson## 67219131Srwatson_umtx_op 68219131Srwatson 69219131Srwatson## 70219131Srwatson## Allow process termination using abort2(2). 71219131Srwatson## 72219131Srwatsonabort2 73219131Srwatson 74219131Srwatson## 75219131Srwatson## Allow accept(2) since it doesn't manipulate namespaces directly, rather 76219131Srwatson## relies on existing bindings on a socket, subject to capability rights. 77219131Srwatson## 78219131Srwatsonaccept 79250154Sjillesaccept4 80219131Srwatson 81219131Srwatson## 82219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 83219131Srwatson## 84219131Srwatsonaio_cancel 85219131Srwatsonaio_error 86219131Srwatsonaio_fsync 87219131Srwatsonaio_read 88219131Srwatsonaio_return 89219131Srwatsonaio_suspend 90219131Srwatsonaio_waitcomplete 91219131Srwatsonaio_write 92219131Srwatson 93219131Srwatson## 94219131Srwatson## audit(2) is a global operation, submitting to the global trail, but it is 95219131Srwatson## controlled by privilege, and it might be useful to be able to submit 96219131Srwatson## records from sandboxes. For now, disallow, but we may want to think about 97219131Srwatson## providing some sort of proxy service for this. 98219131Srwatson## 99219131Srwatson#audit 100219131Srwatson 101219131Srwatson## 102247667Spjd## Allow bindat(2). 103219131Srwatson## 104247667Spjdbindat 105219131Srwatson 106219131Srwatson## 107219131Srwatson## Allow capability mode and capability system calls. 108219131Srwatson## 109219131Srwatsoncap_enter 110247602Spjdcap_fcntls_get 111247602Spjdcap_fcntls_limit 112219131Srwatsoncap_getmode 113247602Spjdcap_ioctls_get 114247602Spjdcap_ioctls_limit 115255219Spjd__cap_rights_get 116247602Spjdcap_rights_limit 117219131Srwatson 118219131Srwatson## 119219131Srwatson## Allow read-only clock operations. 120219131Srwatson## 121255374Spjdclock_getres 122219131Srwatsonclock_gettime 123219131Srwatson 124219131Srwatson## 125219131Srwatson## Always allow file descriptor close(2). 126219131Srwatson## 127219131Srwatsonclose 128219131Srwatsonclosefrom 129219131Srwatson 130219131Srwatson## 131247667Spjd## Allow connectat(2). 132219131Srwatson## 133247667Spjdconnectat 134219131Srwatson 135219131Srwatson## 136319819Sallanjude## cpuset(2) and related calls are limited to caller's own process/thread. 137219131Srwatson## 138219131Srwatson#cpuset 139319819Sallanjudecpuset_getaffinity 140219131Srwatson#cpuset_getid 141319819Sallanjudecpuset_setaffinity 142219131Srwatson#cpuset_setid 143219131Srwatson 144219131Srwatson## 145219131Srwatson## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 146219131Srwatson## 147219131Srwatsondup 148219131Srwatsondup2 149219131Srwatson 150219131Srwatson## 151219131Srwatson## Allow extended attribute operations by file descriptor, subject to 152219131Srwatson## capability rights. 153219131Srwatson## 154219131Srwatsonextattr_delete_fd 155219131Srwatsonextattr_get_fd 156219131Srwatsonextattr_list_fd 157219131Srwatsonextattr_set_fd 158219131Srwatson 159219131Srwatson## 160219131Srwatson## Allow changing file flags, mode, and owner by file descriptor, subject to 161219131Srwatson## capability rights. 162219131Srwatson## 163219131Srwatsonfchflags 164219131Srwatsonfchmod 165219131Srwatsonfchown 166219131Srwatson 167219131Srwatson## 168219131Srwatson## For now, allow fcntl(2), subject to capability rights, but this probably 169219131Srwatson## needs additional scoping. 170219131Srwatson## 171219131Srwatsonfcntl 172219131Srwatson 173219131Srwatson## 174219131Srwatson## Allow fexecve(2), subject to capability rights. We perform some scoping, 175219131Srwatson## such as disallowing privilege escalation. 176219131Srwatson## 177219131Srwatsonfexecve 178219131Srwatson 179219131Srwatson## 180219131Srwatson## Allow flock(2), subject to capability rights. 181219131Srwatson## 182219131Srwatsonflock 183219131Srwatson 184219131Srwatson## 185219131Srwatson## Allow fork(2), even though it returns pids -- some applications seem to 186219131Srwatson## prefer this interface. 187219131Srwatson## 188219131Srwatsonfork 189219131Srwatson 190219131Srwatson## 191219131Srwatson## Allow fpathconf(2), subject to capability rights. 192219131Srwatson## 193219131Srwatsonfpathconf 194219131Srwatson 195219131Srwatson## 196219131Srwatson## Allow various file descriptor-based I/O operations, subject to capability 197224852Srwatson## rights. 198219131Srwatson## 199219131Srwatsonfreebsd6_ftruncate 200219131Srwatsonfreebsd6_lseek 201219131Srwatsonfreebsd6_mmap 202219131Srwatsonfreebsd6_pread 203219131Srwatsonfreebsd6_pwrite 204219131Srwatson 205219131Srwatson## 206219131Srwatson## Allow querying file and file system state with fstat(2) and fstatfs(2), 207219131Srwatson## subject to capability rights. 208219131Srwatson## 209219131Srwatsonfstat 210219131Srwatsonfstatfs 211219131Srwatson 212219131Srwatson## 213219131Srwatson## Allow further file descriptor-based I/O operations, subject to capability 214219131Srwatson## rights. 215219131Srwatson## 216219131Srwatsonfsync 217219131Srwatsonftruncate 218219131Srwatson 219219131Srwatson## 220277610Sjilles## Allow futimens(2) and futimes(2), subject to capability rights. 221219131Srwatson## 222277610Sjillesfutimens 223219131Srwatsonfutimes 224219131Srwatson 225219131Srwatson## 226219131Srwatson## Allow querying process audit state, subject to normal access control. 227219131Srwatson## 228219131Srwatsongetaudit 229219131Srwatsongetaudit_addr 230219131Srwatsongetauid 231219131Srwatson 232219131Srwatson## 233219131Srwatson## Allow thread context management with getcontext(2). 234219131Srwatson## 235219131Srwatsongetcontext 236219131Srwatson 237219131Srwatson## 238219131Srwatson## Allow directory I/O on a file descriptor, subject to capability rights. 239219131Srwatson## Originally we had separate capabilities for directory-specific read 240219131Srwatson## operations, but on BSD we allow reading the raw directory data, so we just 241247602Spjd## rely on CAP_READ now. 242219131Srwatson## 243219131Srwatsongetdents 244219131Srwatsongetdirentries 245219131Srwatson 246219131Srwatson## 247219131Srwatson## Allow querying certain trivial global state. 248219131Srwatson## 249219131Srwatsongetdomainname 250305514Semastegetdtablesize 251219131Srwatson 252219131Srwatson## 253219131Srwatson## Allow querying current process credential state. 254219131Srwatson## 255219131Srwatsongetegid 256219131Srwatsongeteuid 257219131Srwatson 258219131Srwatson## 259219131Srwatson## Allow querying certain trivial global state. 260219131Srwatson## 261219131Srwatsongethostid 262219131Srwatsongethostname 263219131Srwatson 264219131Srwatson## 265219131Srwatson## Allow querying per-process timer. 266219131Srwatson## 267219131Srwatsongetitimer 268219131Srwatson 269219131Srwatson## 270219131Srwatson## Allow querying current process credential state. 271219131Srwatson## 272219131Srwatsongetgid 273219131Srwatsongetgroups 274219131Srwatsongetlogin 275219131Srwatson 276219131Srwatson## 277219131Srwatson## Allow querying certain trivial global state. 278219131Srwatson## 279219131Srwatsongetpagesize 280219131Srwatsongetpeername 281219131Srwatson 282219131Srwatson## 283219131Srwatson## Allow querying certain per-process scheduling, resource limit, and 284219131Srwatson## credential state. 285219131Srwatson## 286219131Srwatson## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 287219131Srwatson## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 288219131Srwatson## getsid(2) needs scoping. 289219131Srwatson## 290219131Srwatsongetpgid 291219131Srwatsongetpgrp 292219131Srwatsongetpid 293219131Srwatsongetppid 294219131Srwatsongetpriority 295219131Srwatsongetresgid 296219131Srwatsongetresuid 297219131Srwatsongetrlimit 298219131Srwatsongetrusage 299219131Srwatsongetsid 300219131Srwatson 301219131Srwatson## 302219131Srwatson## Allow querying socket state, subject to capability rights. 303219131Srwatson## 304219131Srwatson## XXXRW: getsockopt(2) may need more attention. 305219131Srwatson## 306219131Srwatsongetsockname 307219131Srwatsongetsockopt 308219131Srwatson 309219131Srwatson## 310219131Srwatson## Allow querying the global clock. 311219131Srwatson## 312219131Srwatsongettimeofday 313219131Srwatson 314219131Srwatson## 315219131Srwatson## Allow querying current process credential state. 316219131Srwatson## 317219131Srwatsongetuid 318219131Srwatson 319219131Srwatson## 320247602Spjd## Allow ioctl(2), which hopefully will be limited by applications only to 321247602Spjd## required commands with cap_ioctls_limit(2) syscall. 322219131Srwatson## 323247602Spjdioctl 324219131Srwatson 325219131Srwatson## 326219131Srwatson## Allow querying current process credential state. 327219131Srwatson## 328219131Srwatsonissetugid 329219131Srwatson 330219131Srwatson## 331219131Srwatson## Allow kevent(2), as we will authorize based on capability rights on the 332219131Srwatson## target descriptor. 333219131Srwatson## 334219131Srwatsonkevent 335219131Srwatson 336219131Srwatson## 337243610Spjd## Allow kill(2), as we allow the process to send signals only to himself. 338243610Spjd## 339243610Spjdkill 340243610Spjd 341243610Spjd## 342219131Srwatson## Allow message queue operations on file descriptors, subject to capability 343219131Srwatson## rights. 344321322Skib## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with 345321322Skib## SYF_CAPENABLED. 346219131Srwatson## 347219131Srwatsonkmq_notify 348219131Srwatsonkmq_setattr 349219131Srwatsonkmq_timedreceive 350219131Srwatsonkmq_timedsend 351219131Srwatson 352219131Srwatson## 353219131Srwatson## Allow kqueue(2), we will control use. 354219131Srwatson## 355219131Srwatsonkqueue 356219131Srwatson 357219131Srwatson## 358219131Srwatson## Allow managing per-process timers. 359219131Srwatson## 360219131Srwatsonktimer_create 361219131Srwatsonktimer_delete 362219131Srwatsonktimer_getoverrun 363219131Srwatsonktimer_gettime 364219131Srwatsonktimer_settime 365219131Srwatson 366219131Srwatson## 367219131Srwatson## We can't allow ktrace(2) because it relies on a global namespace, but we 368219131Srwatson## might want to introduce an fktrace(2) of some sort. 369219131Srwatson## 370219131Srwatson#ktrace 371219131Srwatson 372219131Srwatson## 373219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 374219131Srwatson## 375219131Srwatsonlio_listio 376219131Srwatson 377219131Srwatson## 378219131Srwatson## Allow listen(2), subject to capability rights. 379219131Srwatson## 380219131Srwatson## XXXRW: One might argue this manipulates a global namespace. 381219131Srwatson## 382219131Srwatsonlisten 383219131Srwatson 384219131Srwatson## 385219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 386219131Srwatson## 387219131Srwatsonlseek 388219131Srwatson 389219131Srwatson## 390219131Srwatson## Allow simple VM operations on the current process. 391219131Srwatson## 392219131Srwatsonmadvise 393219131Srwatsonmincore 394219131Srwatsonminherit 395219131Srwatsonmlock 396219131Srwatsonmlockall 397219131Srwatson 398219131Srwatson## 399219131Srwatson## Allow memory mapping a file descriptor, and updating protections, subject 400219131Srwatson## to capability rights. 401219131Srwatson## 402219131Srwatsonmmap 403219131Srwatsonmprotect 404219131Srwatson 405219131Srwatson## 406219131Srwatson## Allow simple VM operations on the current process. 407219131Srwatson## 408219131Srwatsonmsync 409219131Srwatsonmunlock 410219131Srwatsonmunlockall 411219131Srwatsonmunmap 412219131Srwatson 413219131Srwatson## 414219131Srwatson## Allow the current process to sleep. 415219131Srwatson## 416219131Srwatsonnanosleep 417219131Srwatson 418219131Srwatson## 419219131Srwatson## Allow querying the global clock. 420219131Srwatson## 421219131Srwatsonntp_gettime 422219131Srwatson 423219131Srwatson## 424219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 425219131Srwatson## 426219131Srwatsonoaio_read 427219131Srwatsonoaio_write 428219131Srwatson 429219131Srwatson## 430219131Srwatson## Allow simple VM operations on the current process. 431219131Srwatson## 432219131Srwatsonobreak 433219131Srwatson 434219131Srwatson## 435219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 436219131Srwatson## 437219131Srwatsonolio_listio 438219131Srwatson 439219131Srwatson## 440224812Sjonathan## Operations relative to directory capabilities. 441219131Srwatson## 442248599Spjdchflagsat 443224812Sjonathanfaccessat 444224812Sjonathanfchmodat 445236361Spjdfchownat 446248359Spjdfstatat 447224812Sjonathanfutimesat 448236361Spjdlinkat 449224812Sjonathanmkdirat 450224812Sjonathanmkfifoat 451224812Sjonathanmknodat 452224812Sjonathanopenat 453236361Spjdreadlinkat 454224812Sjonathanrenameat 455236361Spjdsymlinkat 456236361Spjdunlinkat 457277610Sjillesutimensat 458219131Srwatson 459219131Srwatson## 460224812Sjonathan## Allow entry into open(2). This system call will fail, since access to the 461224812Sjonathan## global file namespace has been disallowed, but allowing entry into the 462224812Sjonathan## syscall means that an audit trail will be generated (which is also very 463224812Sjonathan## useful for debugging). 464219131Srwatson## 465224812Sjonathanopen 466219131Srwatson 467219131Srwatson## 468219131Srwatson## Allow poll(2), which will be scoped by capability rights. 469219131Srwatson## 470219131Srwatson## XXXRW: Perhaps we don't need the OpenBSD version? 471219131Srwatson## XXXRW: We don't yet do that scoping. 472219131Srwatson## 473219131Srwatsonopenbsd_poll 474219131Srwatson 475219131Srwatson## 476219131Srwatson## Process descriptor-related system calls are allowed. 477219131Srwatson## 478219131Srwatsonpdfork 479219131Srwatsonpdgetpid 480219131Srwatsonpdkill 481224987Sjonathan#pdwait4 # not yet implemented 482219131Srwatson 483219131Srwatson## 484219131Srwatson## Allow pipe(2). 485219131Srwatson## 486219131Srwatsonpipe 487250159Sjillespipe2 488219131Srwatson 489219131Srwatson## 490219131Srwatson## Allow poll(2), which will be scoped by capability rights. 491219131Srwatson## XXXRW: We don't yet do that scoping. 492219131Srwatson## 493219131Srwatsonpoll 494219131Srwatson 495219131Srwatson## 496219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 497219131Srwatson## 498331679Semasteposix_fallocate 499219131Srwatsonpread 500219131Srwatsonpreadv 501219131Srwatson 502219131Srwatson## 503219131Srwatson## Allow access to profiling state on the current process. 504219131Srwatson## 505219131Srwatsonprofil 506219131Srwatson 507219131Srwatson## 508219131Srwatson## Disallow ptrace(2) for now, but we do need debugging facilities in 509219131Srwatson## capability mode, so we will want to revisit this, possibly by scoping its 510219131Srwatson## operation. 511219131Srwatson## 512219131Srwatson#ptrace 513219131Srwatson 514219131Srwatson## 515219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 516219131Srwatson## 517219131Srwatsonpwrite 518219131Srwatsonpwritev 519219131Srwatsonread 520219131Srwatsonreadv 521219131Srwatsonrecv 522219131Srwatsonrecvfrom 523219131Srwatsonrecvmsg 524219131Srwatson 525219131Srwatson## 526219131Srwatson## Allow real-time scheduling primitives to be used. 527219131Srwatson## 528219131Srwatson## XXXRW: These require scoping. 529219131Srwatson## 530219131Srwatsonrtprio 531219131Srwatsonrtprio_thread 532219131Srwatson 533219131Srwatson## 534219131Srwatson## Allow simple VM operations on the current process. 535219131Srwatson## 536219131Srwatsonsbrk 537219131Srwatson 538219131Srwatson## 539219131Srwatson## Allow querying trivial global scheduler state. 540219131Srwatson## 541219131Srwatsonsched_get_priority_max 542219131Srwatsonsched_get_priority_min 543219131Srwatson 544219131Srwatson## 545219131Srwatson## Allow various thread/process scheduler operations. 546219131Srwatson## 547219131Srwatson## XXXRW: Some of these require further scoping. 548219131Srwatson## 549219131Srwatsonsched_getparam 550219131Srwatsonsched_getscheduler 551257736Spjdsched_rr_get_interval 552219131Srwatsonsched_setparam 553219131Srwatsonsched_setscheduler 554219131Srwatsonsched_yield 555219131Srwatson 556219131Srwatson## 557219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 558321322Skib## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c 559321322Skib## with SYF_CAPENABLED. 560219131Srwatson## 561219131Srwatsonsctp_generic_recvmsg 562219131Srwatsonsctp_generic_sendmsg 563219131Srwatsonsctp_generic_sendmsg_iov 564219131Srwatsonsctp_peeloff 565219131Srwatson 566219131Srwatson## 567259436Spjd## Allow pselect(2) and select(2), which will be scoped by capability rights. 568219131Srwatson## 569219131Srwatson## XXXRW: But is it? 570219131Srwatson## 571259436Spjdpselect 572219131Srwatsonselect 573219131Srwatson 574219131Srwatson## 575219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. Use of 576219131Srwatson## explicit addresses here is restricted by the system calls themselves. 577219131Srwatson## 578219131Srwatsonsend 579219131Srwatsonsendfile 580219131Srwatsonsendmsg 581219131Srwatsonsendto 582219131Srwatson 583219131Srwatson## 584219131Srwatson## Allow setting per-process audit state, which is controlled separately by 585219131Srwatson## privileges. 586219131Srwatson## 587219131Srwatsonsetaudit 588219131Srwatsonsetaudit_addr 589219131Srwatsonsetauid 590219131Srwatson 591219131Srwatson## 592219131Srwatson## Allow setting thread context. 593219131Srwatson## 594219131Srwatsonsetcontext 595219131Srwatson 596219131Srwatson## 597219131Srwatson## Allow setting current process credential state, which is controlled 598219131Srwatson## separately by privilege. 599219131Srwatson## 600219131Srwatsonsetegid 601219131Srwatsonseteuid 602219131Srwatsonsetgid 603219131Srwatson 604219131Srwatson## 605219131Srwatson## Allow use of the process interval timer. 606219131Srwatson## 607219131Srwatsonsetitimer 608219131Srwatson 609219131Srwatson## 610219131Srwatson## Allow setpriority(2). 611219131Srwatson## 612219131Srwatson## XXXRW: Requires scoping. 613219131Srwatson## 614219131Srwatsonsetpriority 615219131Srwatson 616219131Srwatson## 617219131Srwatson## Allow setting current process credential state, which is controlled 618219131Srwatson## separately by privilege. 619219131Srwatson## 620219131Srwatsonsetregid 621219131Srwatsonsetresgid 622219131Srwatsonsetresuid 623219131Srwatsonsetreuid 624219131Srwatson 625219131Srwatson## 626219131Srwatson## Allow setting process resource limits with setrlimit(2). 627219131Srwatson## 628219131Srwatsonsetrlimit 629219131Srwatson 630219131Srwatson## 631219131Srwatson## Allow creating a new session with setsid(2). 632219131Srwatson## 633219131Srwatsonsetsid 634219131Srwatson 635219131Srwatson## 636219131Srwatson## Allow setting socket options with setsockopt(2), subject to capability 637219131Srwatson## rights. 638219131Srwatson## 639219131Srwatson## XXXRW: Might require scoping. 640219131Srwatson## 641219131Srwatsonsetsockopt 642219131Srwatson 643219131Srwatson## 644219131Srwatson## Allow setting current process credential state, which is controlled 645219131Srwatson## separately by privilege. 646219131Srwatson## 647219131Srwatsonsetuid 648219131Srwatson 649219131Srwatson## 650224812Sjonathan## shm_open(2) is scoped so as to allow only access to new anonymous objects. 651219131Srwatson## 652224812Sjonathanshm_open 653219131Srwatson 654219131Srwatson## 655219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 656219131Srwatson## 657219131Srwatsonshutdown 658219131Srwatson 659219131Srwatson## 660219131Srwatson## Allow signal control on current process. 661219131Srwatson## 662219131Srwatsonsigaction 663219131Srwatsonsigaltstack 664219131Srwatsonsigblock 665219131Srwatsonsigpending 666219131Srwatsonsigprocmask 667219131Srwatsonsigqueue 668219131Srwatsonsigreturn 669219131Srwatsonsigsetmask 670219131Srwatsonsigstack 671219131Srwatsonsigsuspend 672219131Srwatsonsigtimedwait 673219131Srwatsonsigvec 674219131Srwatsonsigwaitinfo 675261220Scsjpsigwait 676219131Srwatson 677219131Srwatson## 678219131Srwatson## Allow creating new socket pairs with socket(2) and socketpair(2). 679219131Srwatson## 680219131Srwatsonsocket 681219131Srwatsonsocketpair 682219131Srwatson 683219131Srwatson## 684219131Srwatson## Allow simple VM operations on the current process. 685219131Srwatson## 686219131Srwatson## XXXRW: Kernel doesn't implement this, so drop? 687219131Srwatson## 688219131Srwatsonsstk 689219131Srwatson 690219131Srwatson## 691219131Srwatson## Do allow sync(2) for now, but possibly shouldn't. 692219131Srwatson## 693219131Srwatsonsync 694219131Srwatson 695219131Srwatson## 696219131Srwatson## Always allow process termination with sys_exit(2). 697219131Srwatson## 698219131Srwatsonsys_exit 699219131Srwatson 700219131Srwatson## 701219131Srwatson## sysarch(2) does rather diverse things, but is required on at least i386 702219131Srwatson## in order to configure per-thread data. As such, it's scoped on each 703219131Srwatson## architecture. 704219131Srwatson## 705219131Srwatsonsysarch 706219131Srwatson 707219131Srwatson## 708219131Srwatson## Allow thread operations operating only on current process. 709219131Srwatson## 710219131Srwatsonthr_create 711219131Srwatsonthr_exit 712219131Srwatsonthr_kill 713219131Srwatson 714219131Srwatson## 715219131Srwatson## Disallow thr_kill2(2), as it may operate beyond the current process. 716219131Srwatson## 717219131Srwatson## XXXRW: Requires scoping. 718219131Srwatson## 719219131Srwatson#thr_kill2 720219131Srwatson 721219131Srwatson## 722219131Srwatson## Allow thread operations operating only on current process. 723219131Srwatson## 724219131Srwatsonthr_new 725219131Srwatsonthr_self 726219131Srwatsonthr_set_name 727219131Srwatsonthr_suspend 728219131Srwatsonthr_wake 729219131Srwatson 730219131Srwatson## 731219131Srwatson## Allow manipulation of the current process umask with umask(2). 732219131Srwatson## 733219131Srwatsonumask 734219131Srwatson 735219131Srwatson## 736219131Srwatson## Allow submitting of process trace entries with utrace(2). 737219131Srwatson## 738219131Srwatsonutrace 739219131Srwatson 740219131Srwatson## 741219131Srwatson## Allow generating UUIDs with uuidgen(2). 742219131Srwatson## 743219131Srwatsonuuidgen 744219131Srwatson 745219131Srwatson## 746219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 747219131Srwatson## 748219131Srwatsonwrite 749219131Srwatsonwritev 750219131Srwatson 751219131Srwatson## 752219131Srwatson## Allow processes to yield(2). 753219131Srwatson## 754219131Srwatsonyield 755