capabilities.conf revision 247667 
1219131Srwatson##
2219131Srwatson## Copyright (c) 2008-2010 Robert N. M. Watson
3219131Srwatson## All rights reserved.
4219131Srwatson##
5219131Srwatson## This software was developed at the University of Cambridge Computer
6219131Srwatson## Laboratory with support from a grant from Google, Inc.
7219131Srwatson##
8219131Srwatson## Redistribution and use in source and binary forms, with or without
9219131Srwatson## modification, are permitted provided that the following conditions
10219131Srwatson## are met:
11219131Srwatson## 1. Redistributions of source code must retain the above copyright
12219131Srwatson##    notice, this list of conditions and the following disclaimer.
13219131Srwatson## 2. Redistributions in binary form must reproduce the above copyright
14219131Srwatson##    notice, this list of conditions and the following disclaimer in the
15219131Srwatson##    documentation and/or other materials provided with the distribution.
16219131Srwatson##
17219131Srwatson## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18219131Srwatson## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19219131Srwatson## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20219131Srwatson## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21219131Srwatson## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22219131Srwatson## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23219131Srwatson## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24219131Srwatson## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25219131Srwatson## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26219131Srwatson## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27219131Srwatson## SUCH DAMAGE.
28219131Srwatson##
29219131Srwatson## List of system calls enabled in capability mode, one name per line.
30219131Srwatson##
31219131Srwatson## Notes:
32219131Srwatson## - sys_exit(2), abort2(2) and close(2) are very important.
33219131Srwatson## - Sorted alphabetically, please keep it that way.
34219131Srwatson##
35219131Srwatson## $FreeBSD: head/sys/kern/capabilities.conf 247667 2013-03-02 21:11:30Z pjd $
36219131Srwatson##
37219131Srwatson
38219131Srwatson##
39219131Srwatson## Allow ACL and MAC label operations by file descriptor, subject to
40219131Srwatson## capability rights.  Allow MAC label operations on the current process but
41219131Srwatson## we will need to scope __mac_get_pid(2).
42219131Srwatson##
43219131Srwatson__acl_aclcheck_fd
44219131Srwatson__acl_delete_fd
45219131Srwatson__acl_get_fd
46219131Srwatson__acl_set_fd
47219131Srwatson__mac_get_fd
48219131Srwatson#__mac_get_pid
49219131Srwatson__mac_get_proc
50219131Srwatson__mac_set_fd
51219131Srwatson__mac_set_proc
52219131Srwatson
53219131Srwatson##
54219131Srwatson## Allow sysctl(2) as we scope internal to the call; this is a global
55219131Srwatson## namespace, but there are several critical sysctls required for almost
56219131Srwatson## anything to run, such as hw.pagesize.  For now that policy lives in the
57219131Srwatson## kernel for performance and simplicity, but perhaps it could move to a
58219131Srwatson## proxying daemon in userspace.
59219131Srwatson##
60219131Srwatson__sysctl
61219131Srwatson
62219131Srwatson##
63219131Srwatson## Allow umtx operations as these are scoped by address space.
64219131Srwatson##
65219131Srwatson## XXRW: Need to check this very carefully.
66219131Srwatson##
67219131Srwatson_umtx_lock
68219131Srwatson_umtx_op
69219131Srwatson_umtx_unlock
70219131Srwatson
71219131Srwatson##
72219131Srwatson## Allow process termination using abort2(2).
73219131Srwatson##
74219131Srwatsonabort2
75219131Srwatson
76219131Srwatson##
77219131Srwatson## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78219131Srwatson## relies on existing bindings on a socket, subject to capability rights.
79219131Srwatson##
80219131Srwatsonaccept
81219131Srwatson
82219131Srwatson##
83219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights.
84219131Srwatson##
85219131Srwatsonaio_cancel
86219131Srwatsonaio_error
87219131Srwatsonaio_fsync
88219131Srwatsonaio_read
89219131Srwatsonaio_return
90219131Srwatsonaio_suspend
91219131Srwatsonaio_waitcomplete
92219131Srwatsonaio_write
93219131Srwatson
94219131Srwatson##
95219131Srwatson## audit(2) is a global operation, submitting to the global trail, but it is
96219131Srwatson## controlled by privilege, and it might be useful to be able to submit
97219131Srwatson## records from sandboxes.  For now, disallow, but we may want to think about
98219131Srwatson## providing some sort of proxy service for this.
99219131Srwatson##
100219131Srwatson#audit
101219131Srwatson
102219131Srwatson##
103247667Spjd## Allow bindat(2).
104219131Srwatson##
105247667Spjdbindat
106219131Srwatson
107219131Srwatson##
108219131Srwatson## Allow capability mode and capability system calls.
109219131Srwatson##
110219131Srwatsoncap_enter
111247602Spjdcap_fcntls_get
112247602Spjdcap_fcntls_limit
113219131Srwatsoncap_getmode
114247602Spjdcap_ioctls_get
115247602Spjdcap_ioctls_limit
116219131Srwatsoncap_new
117247602Spjdcap_rights_get
118247602Spjdcap_rights_limit
119219131Srwatson
120219131Srwatson##
121219131Srwatson## Allow read-only clock operations.
122219131Srwatson##
123219131Srwatsonclock_gettime
124219131Srwatsonclock_getres
125219131Srwatson
126219131Srwatson##
127219131Srwatson## Always allow file descriptor close(2).
128219131Srwatson##
129219131Srwatsonclose
130219131Srwatsonclosefrom
131219131Srwatson
132219131Srwatson##
133247667Spjd## Allow connectat(2).
134219131Srwatson##
135247667Spjdconnectat
136219131Srwatson
137219131Srwatson##
138219131Srwatson## cpuset(2) and related calls require scoping by process, but should
139219131Srwatson## eventually be allowed, at least in the current process case.
140219131Srwatson##
141219131Srwatson#cpuset
142219131Srwatson#cpuset_getaffinity
143219131Srwatson#cpuset_getid
144219131Srwatson#cpuset_setaffinity
145219131Srwatson#cpuset_setid
146219131Srwatson
147219131Srwatson##
148219131Srwatson## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
149219131Srwatson##
150219131Srwatsondup
151219131Srwatsondup2
152219131Srwatson
153219131Srwatson##
154219131Srwatson## Allow extended attribute operations by file descriptor, subject to
155219131Srwatson## capability rights.
156219131Srwatson##
157219131Srwatsonextattr_delete_fd
158219131Srwatsonextattr_get_fd
159219131Srwatsonextattr_list_fd
160219131Srwatsonextattr_set_fd
161219131Srwatson
162219131Srwatson##
163219131Srwatson## Allow changing file flags, mode, and owner by file descriptor, subject to
164219131Srwatson## capability rights.
165219131Srwatson##
166219131Srwatsonfchflags
167219131Srwatsonfchmod
168219131Srwatsonfchown
169219131Srwatson
170219131Srwatson##
171219131Srwatson## For now, allow fcntl(2), subject to capability rights, but this probably
172219131Srwatson## needs additional scoping.
173219131Srwatson##
174219131Srwatsonfcntl
175219131Srwatson
176219131Srwatson##
177219131Srwatson## Allow fexecve(2), subject to capability rights.  We perform some scoping,
178219131Srwatson## such as disallowing privilege escalation.
179219131Srwatson##
180219131Srwatsonfexecve
181219131Srwatson
182219131Srwatson##
183219131Srwatson## Allow flock(2), subject to capability rights.
184219131Srwatson##
185219131Srwatsonflock
186219131Srwatson
187219131Srwatson##
188219131Srwatson## Allow fork(2), even though it returns pids -- some applications seem to
189219131Srwatson## prefer this interface.
190219131Srwatson##
191219131Srwatsonfork
192219131Srwatson
193219131Srwatson##
194219131Srwatson## Allow fpathconf(2), subject to capability rights.
195219131Srwatson##
196219131Srwatsonfpathconf
197219131Srwatson
198219131Srwatson##
199219131Srwatson## Allow various file descriptor-based I/O operations, subject to capability
200224852Srwatson## rights.
201219131Srwatson##
202219131Srwatsonfreebsd6_ftruncate
203219131Srwatsonfreebsd6_lseek
204219131Srwatsonfreebsd6_mmap
205219131Srwatsonfreebsd6_pread
206219131Srwatsonfreebsd6_pwrite
207219131Srwatson
208219131Srwatson##
209219131Srwatson## Allow querying file and file system state with fstat(2) and fstatfs(2),
210219131Srwatson## subject to capability rights.
211219131Srwatson##
212219131Srwatsonfstat
213219131Srwatsonfstatfs
214219131Srwatson
215219131Srwatson##
216219131Srwatson## Allow further file descriptor-based I/O operations, subject to capability
217219131Srwatson## rights.
218219131Srwatson##
219219131Srwatsonfsync
220219131Srwatsonftruncate
221219131Srwatson
222219131Srwatson##
223219131Srwatson## Allow futimes(2), subject to capability rights.
224219131Srwatson##
225219131Srwatsonfutimes
226219131Srwatson
227219131Srwatson##
228219131Srwatson## Allow querying process audit state, subject to normal access control.
229219131Srwatson##
230219131Srwatsongetaudit
231219131Srwatsongetaudit_addr
232219131Srwatsongetauid
233219131Srwatson
234219131Srwatson##
235219131Srwatson## Allow thread context management with getcontext(2).
236219131Srwatson##
237219131Srwatsongetcontext
238219131Srwatson
239219131Srwatson##
240219131Srwatson## Allow directory I/O on a file descriptor, subject to capability rights.
241219131Srwatson## Originally we had separate capabilities for directory-specific read
242219131Srwatson## operations, but on BSD we allow reading the raw directory data, so we just
243247602Spjd## rely on CAP_READ now.
244219131Srwatson##
245219131Srwatsongetdents
246219131Srwatsongetdirentries
247219131Srwatson
248219131Srwatson##
249219131Srwatson## Allow querying certain trivial global state.
250219131Srwatson##
251219131Srwatsongetdomainname
252219131Srwatson
253219131Srwatson##
254219131Srwatson## Allow querying current process credential state.
255219131Srwatson##
256219131Srwatsongetegid
257219131Srwatsongeteuid
258219131Srwatson
259219131Srwatson##
260219131Srwatson## Allow querying certain trivial global state.
261219131Srwatson##
262219131Srwatsongethostid
263219131Srwatsongethostname
264219131Srwatson
265219131Srwatson##
266219131Srwatson## Allow querying per-process timer.
267219131Srwatson##
268219131Srwatsongetitimer
269219131Srwatson
270219131Srwatson##
271219131Srwatson## Allow querying current process credential state.
272219131Srwatson##
273219131Srwatsongetgid
274219131Srwatsongetgroups
275219131Srwatsongetlogin
276219131Srwatson
277219131Srwatson##
278219131Srwatson## Allow querying certain trivial global state.
279219131Srwatson##
280219131Srwatsongetpagesize
281219131Srwatsongetpeername
282219131Srwatson
283219131Srwatson##
284219131Srwatson## Allow querying certain per-process scheduling, resource limit, and
285219131Srwatson## credential state.
286219131Srwatson##
287219131Srwatson## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
288219131Srwatson## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
289219131Srwatson## getsid(2) needs scoping.
290219131Srwatson##
291219131Srwatsongetpgid
292219131Srwatsongetpgrp
293219131Srwatsongetpid
294219131Srwatsongetppid
295219131Srwatsongetpriority
296219131Srwatsongetresgid
297219131Srwatsongetresuid
298219131Srwatsongetrlimit
299219131Srwatsongetrusage
300219131Srwatsongetsid
301219131Srwatson
302219131Srwatson##
303219131Srwatson## Allow querying socket state, subject to capability rights.
304219131Srwatson##
305219131Srwatson## XXXRW: getsockopt(2) may need more attention.
306219131Srwatson##
307219131Srwatsongetsockname
308219131Srwatsongetsockopt
309219131Srwatson
310219131Srwatson##
311219131Srwatson## Allow querying the global clock.
312219131Srwatson##
313219131Srwatsongettimeofday
314219131Srwatson
315219131Srwatson##
316219131Srwatson## Allow querying current process credential state.
317219131Srwatson##
318219131Srwatsongetuid
319219131Srwatson
320219131Srwatson##
321247602Spjd## Allow ioctl(2), which hopefully will be limited by applications only to
322247602Spjd## required commands with cap_ioctls_limit(2) syscall.
323219131Srwatson##
324247602Spjdioctl
325219131Srwatson
326219131Srwatson##
327219131Srwatson## Allow querying current process credential state.
328219131Srwatson##
329219131Srwatsonissetugid
330219131Srwatson
331219131Srwatson##
332219131Srwatson## Allow kevent(2), as we will authorize based on capability rights on the
333219131Srwatson## target descriptor.
334219131Srwatson##
335219131Srwatsonkevent
336219131Srwatson
337219131Srwatson##
338243610Spjd## Allow kill(2), as we allow the process to send signals only to himself.
339243610Spjd##
340243610Spjdkill
341243610Spjd
342243610Spjd##
343219131Srwatson## Allow message queue operations on file descriptors, subject to capability
344219131Srwatson## rights.
345219131Srwatson##
346219131Srwatsonkmq_notify
347219131Srwatsonkmq_setattr
348219131Srwatsonkmq_timedreceive
349219131Srwatsonkmq_timedsend
350219131Srwatson
351219131Srwatson##
352219131Srwatson## Allow kqueue(2), we will control use.
353219131Srwatson##
354219131Srwatsonkqueue
355219131Srwatson
356219131Srwatson##
357219131Srwatson## Allow managing per-process timers.
358219131Srwatson##
359219131Srwatsonktimer_create
360219131Srwatsonktimer_delete
361219131Srwatsonktimer_getoverrun
362219131Srwatsonktimer_gettime
363219131Srwatsonktimer_settime
364219131Srwatson
365219131Srwatson##
366219131Srwatson## We can't allow ktrace(2) because it relies on a global namespace, but we
367219131Srwatson## might want to introduce an fktrace(2) of some sort.
368219131Srwatson##
369219131Srwatson#ktrace
370219131Srwatson
371219131Srwatson##
372219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights.
373219131Srwatson##
374219131Srwatsonlio_listio
375219131Srwatson
376219131Srwatson##
377219131Srwatson## Allow listen(2), subject to capability rights.
378219131Srwatson##
379219131Srwatson## XXXRW: One might argue this manipulates a global namespace.
380219131Srwatson##
381219131Srwatsonlisten
382219131Srwatson
383219131Srwatson##
384219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
385219131Srwatson##
386219131Srwatsonlseek
387219131Srwatson
388219131Srwatson##
389219131Srwatson## Allow MAC label operations by file descriptor, subject to capability
390219131Srwatson## rights.
391219131Srwatson##
392219131Srwatsonmac_get_fd
393219131Srwatsonmac_set_fd
394219131Srwatson
395219131Srwatson##
396219131Srwatson## Allow simple VM operations on the current process.
397219131Srwatson##
398219131Srwatsonmadvise
399219131Srwatsonmincore
400219131Srwatsonminherit
401219131Srwatsonmlock
402219131Srwatsonmlockall
403219131Srwatson
404219131Srwatson##
405219131Srwatson## Allow memory mapping a file descriptor, and updating protections, subject
406219131Srwatson## to capability rights.
407219131Srwatson##
408219131Srwatsonmmap
409219131Srwatsonmprotect
410219131Srwatson
411219131Srwatson##
412219131Srwatson## Allow simple VM operations on the current process.
413219131Srwatson##
414219131Srwatsonmsync
415219131Srwatsonmunlock
416219131Srwatsonmunlockall
417219131Srwatsonmunmap
418219131Srwatson
419219131Srwatson##
420219131Srwatson## Allow the current process to sleep.
421219131Srwatson##
422219131Srwatsonnanosleep
423219131Srwatson
424219131Srwatson##
425219131Srwatson## Allow querying the global clock.
426219131Srwatson##
427219131Srwatsonntp_gettime
428219131Srwatson
429219131Srwatson##
430219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights.
431219131Srwatson##
432219131Srwatsonoaio_read
433219131Srwatsonoaio_write
434219131Srwatson
435219131Srwatson##
436219131Srwatson## Allow simple VM operations on the current process.
437219131Srwatson##
438219131Srwatsonobreak
439219131Srwatson
440219131Srwatson##
441219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights.
442219131Srwatson##
443219131Srwatsonolio_listio
444219131Srwatson
445219131Srwatson##
446224812Sjonathan## Operations relative to directory capabilities.
447219131Srwatson##
448224812Sjonathanfaccessat
449224812Sjonathanfstatat
450224812Sjonathanfchmodat
451236361Spjdfchownat
452224812Sjonathanfutimesat
453236361Spjdlinkat
454224812Sjonathanmkdirat
455224812Sjonathanmkfifoat
456224812Sjonathanmknodat
457224812Sjonathanopenat
458236361Spjdreadlinkat
459224812Sjonathanrenameat
460236361Spjdsymlinkat
461236361Spjdunlinkat
462219131Srwatson
463219131Srwatson##
464224812Sjonathan## Allow entry into open(2). This system call will fail, since access to the
465224812Sjonathan## global file namespace has been disallowed, but allowing entry into the
466224812Sjonathan## syscall means that an audit trail will be generated (which is also very
467224812Sjonathan## useful for debugging).
468219131Srwatson##
469224812Sjonathanopen
470219131Srwatson
471219131Srwatson##
472219131Srwatson## Allow poll(2), which will be scoped by capability rights.
473219131Srwatson##
474219131Srwatson## XXXRW: Perhaps we don't need the OpenBSD version?
475219131Srwatson## XXXRW: We don't yet do that scoping.
476219131Srwatson##
477219131Srwatsonopenbsd_poll
478219131Srwatson
479219131Srwatson##
480219131Srwatson## Process descriptor-related system calls are allowed.
481219131Srwatson##
482219131Srwatsonpdfork
483219131Srwatsonpdgetpid
484219131Srwatsonpdkill
485224987Sjonathan#pdwait4	# not yet implemented
486219131Srwatson
487219131Srwatson##
488219131Srwatson## Allow pipe(2).
489219131Srwatson##
490219131Srwatsonpipe
491219131Srwatson
492219131Srwatson##
493219131Srwatson## Allow poll(2), which will be scoped by capability rights.
494219131Srwatson## XXXRW: We don't yet do that scoping.
495219131Srwatson##
496219131Srwatsonpoll
497219131Srwatson
498219131Srwatson##
499219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
500219131Srwatson##
501219131Srwatsonpread
502219131Srwatsonpreadv
503219131Srwatson
504219131Srwatson##
505219131Srwatson## Allow access to profiling state on the current process.
506219131Srwatson##
507219131Srwatsonprofil
508219131Srwatson
509219131Srwatson##
510219131Srwatson## Disallow ptrace(2) for now, but we do need debugging facilities in
511219131Srwatson## capability mode, so we will want to revisit this, possibly by scoping its
512219131Srwatson## operation.
513219131Srwatson##
514219131Srwatson#ptrace
515219131Srwatson
516219131Srwatson##
517219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
518219131Srwatson##
519219131Srwatsonpwrite
520219131Srwatsonpwritev
521219131Srwatsonread
522219131Srwatsonreadv
523219131Srwatsonrecv
524219131Srwatsonrecvfrom
525219131Srwatsonrecvmsg
526219131Srwatson
527219131Srwatson##
528219131Srwatson## Allow real-time scheduling primitives to be used.
529219131Srwatson##
530219131Srwatson## XXXRW: These require scoping.
531219131Srwatson##
532219131Srwatsonrtprio
533219131Srwatsonrtprio_thread
534219131Srwatson
535219131Srwatson##
536219131Srwatson## Allow simple VM operations on the current process.
537219131Srwatson##
538219131Srwatsonsbrk
539219131Srwatson
540219131Srwatson##
541219131Srwatson## Allow querying trivial global scheduler state.
542219131Srwatson##
543219131Srwatsonsched_get_priority_max
544219131Srwatsonsched_get_priority_min
545219131Srwatson
546219131Srwatson##
547219131Srwatson## Allow various thread/process scheduler operations.
548219131Srwatson##
549219131Srwatson## XXXRW: Some of these require further scoping.
550219131Srwatson##
551219131Srwatsonsched_getparam
552219131Srwatsonsched_getscheduler
553219131Srwatsonsched_rr_getinterval
554219131Srwatsonsched_setparam
555219131Srwatsonsched_setscheduler
556219131Srwatsonsched_yield
557219131Srwatson
558219131Srwatson##
559219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
560219131Srwatson##
561219131Srwatsonsctp_generic_recvmsg
562219131Srwatsonsctp_generic_sendmsg
563219131Srwatsonsctp_generic_sendmsg_iov
564219131Srwatsonsctp_peeloff
565219131Srwatson
566219131Srwatson##
567219131Srwatson## Allow select(2), which will be scoped by capability rights.
568219131Srwatson##
569219131Srwatson## XXXRW: But is it?
570219131Srwatson##
571219131Srwatsonselect
572219131Srwatson
573219131Srwatson##
574219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.  Use of
575219131Srwatson## explicit addresses here is restricted by the system calls themselves.
576219131Srwatson##
577219131Srwatsonsend
578219131Srwatsonsendfile
579219131Srwatsonsendmsg
580219131Srwatsonsendto
581219131Srwatson
582219131Srwatson##
583219131Srwatson## Allow setting per-process audit state, which is controlled separately by
584219131Srwatson## privileges.
585219131Srwatson##
586219131Srwatsonsetaudit
587219131Srwatsonsetaudit_addr
588219131Srwatsonsetauid
589219131Srwatson
590219131Srwatson##
591219131Srwatson## Allow setting thread context.
592219131Srwatson##
593219131Srwatsonsetcontext
594219131Srwatson
595219131Srwatson##
596219131Srwatson## Allow setting current process credential state, which is controlled
597219131Srwatson## separately by privilege.
598219131Srwatson##
599219131Srwatsonsetegid
600219131Srwatsonseteuid
601219131Srwatsonsetgid
602219131Srwatson
603219131Srwatson##
604219131Srwatson## Allow use of the process interval timer.
605219131Srwatson##
606219131Srwatsonsetitimer
607219131Srwatson
608219131Srwatson##
609219131Srwatson## Allow setpriority(2).
610219131Srwatson##
611219131Srwatson## XXXRW: Requires scoping.
612219131Srwatson##
613219131Srwatsonsetpriority
614219131Srwatson
615219131Srwatson##
616219131Srwatson## Allow setting current process credential state, which is controlled
617219131Srwatson## separately by privilege.
618219131Srwatson##
619219131Srwatsonsetregid
620219131Srwatsonsetresgid
621219131Srwatsonsetresuid
622219131Srwatsonsetreuid
623219131Srwatson
624219131Srwatson##
625219131Srwatson## Allow setting process resource limits with setrlimit(2).
626219131Srwatson##
627219131Srwatsonsetrlimit
628219131Srwatson
629219131Srwatson##
630219131Srwatson## Allow creating a new session with setsid(2).
631219131Srwatson##
632219131Srwatsonsetsid
633219131Srwatson
634219131Srwatson##
635219131Srwatson## Allow setting socket options with setsockopt(2), subject to capability
636219131Srwatson## rights.
637219131Srwatson##
638219131Srwatson## XXXRW: Might require scoping.
639219131Srwatson##
640219131Srwatsonsetsockopt
641219131Srwatson
642219131Srwatson##
643219131Srwatson## Allow setting current process credential state, which is controlled
644219131Srwatson## separately by privilege.
645219131Srwatson##
646219131Srwatsonsetuid
647219131Srwatson
648219131Srwatson##
649224812Sjonathan## shm_open(2) is scoped so as to allow only access to new anonymous objects.
650219131Srwatson##
651224812Sjonathanshm_open
652219131Srwatson
653219131Srwatson##
654219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
655219131Srwatson##
656219131Srwatsonshutdown
657219131Srwatson
658219131Srwatson##
659219131Srwatson## Allow signal control on current process.
660219131Srwatson##
661219131Srwatsonsigaction
662219131Srwatsonsigaltstack
663219131Srwatsonsigblock
664219131Srwatsonsigpending
665219131Srwatsonsigprocmask
666219131Srwatsonsigqueue
667219131Srwatsonsigreturn
668219131Srwatsonsigsetmask
669219131Srwatsonsigstack
670219131Srwatsonsigsuspend
671219131Srwatsonsigtimedwait
672219131Srwatsonsigvec
673219131Srwatsonsigwaitinfo
674219131Srwatson
675219131Srwatson##
676219131Srwatson## Allow creating new socket pairs with socket(2) and socketpair(2).
677219131Srwatson##
678219131Srwatsonsocket
679219131Srwatsonsocketpair
680219131Srwatson
681219131Srwatson##
682219131Srwatson## Allow simple VM operations on the current process.
683219131Srwatson##
684219131Srwatson## XXXRW: Kernel doesn't implement this, so drop?
685219131Srwatson##
686219131Srwatsonsstk
687219131Srwatson
688219131Srwatson##
689219131Srwatson## Do allow sync(2) for now, but possibly shouldn't.
690219131Srwatson##
691219131Srwatsonsync
692219131Srwatson
693219131Srwatson##
694219131Srwatson## Always allow process termination with sys_exit(2).
695219131Srwatson##
696219131Srwatsonsys_exit
697219131Srwatson
698219131Srwatson##
699219131Srwatson## sysarch(2) does rather diverse things, but is required on at least i386
700219131Srwatson## in order to configure per-thread data.  As such, it's scoped on each
701219131Srwatson## architecture.
702219131Srwatson##
703219131Srwatsonsysarch
704219131Srwatson
705219131Srwatson##
706219131Srwatson## Allow thread operations operating only on current process.
707219131Srwatson##
708219131Srwatsonthr_create
709219131Srwatsonthr_exit
710219131Srwatsonthr_kill
711219131Srwatson
712219131Srwatson##
713219131Srwatson## Disallow thr_kill2(2), as it may operate beyond the current process.
714219131Srwatson##
715219131Srwatson## XXXRW: Requires scoping.
716219131Srwatson##
717219131Srwatson#thr_kill2
718219131Srwatson
719219131Srwatson##
720219131Srwatson## Allow thread operations operating only on current process.
721219131Srwatson##
722219131Srwatsonthr_new
723219131Srwatsonthr_self
724219131Srwatsonthr_set_name
725219131Srwatsonthr_suspend
726219131Srwatsonthr_wake
727219131Srwatson
728219131Srwatson##
729219131Srwatson## Allow manipulation of the current process umask with umask(2).
730219131Srwatson##
731219131Srwatsonumask
732219131Srwatson
733219131Srwatson##
734219131Srwatson## Allow submitting of process trace entries with utrace(2).
735219131Srwatson##
736219131Srwatsonutrace
737219131Srwatson
738219131Srwatson##
739219131Srwatson## Allow generating UUIDs with uuidgen(2).
740219131Srwatson##
741219131Srwatsonuuidgen
742219131Srwatson
743219131Srwatson##
744219131Srwatson## Allow I/O-related file descriptors, subject to capability rights.
745219131Srwatson##
746219131Srwatsonwrite
747219131Srwatsonwritev
748219131Srwatson
749219131Srwatson##
750219131Srwatson## Allow processes to yield(2).
751219131Srwatson##
752219131Srwatsonyield
753