capabilities.conf revision 247667
1219131Srwatson## 2219131Srwatson## Copyright (c) 2008-2010 Robert N. M. Watson 3219131Srwatson## All rights reserved. 4219131Srwatson## 5219131Srwatson## This software was developed at the University of Cambridge Computer 6219131Srwatson## Laboratory with support from a grant from Google, Inc. 7219131Srwatson## 8219131Srwatson## Redistribution and use in source and binary forms, with or without 9219131Srwatson## modification, are permitted provided that the following conditions 10219131Srwatson## are met: 11219131Srwatson## 1. Redistributions of source code must retain the above copyright 12219131Srwatson## notice, this list of conditions and the following disclaimer. 13219131Srwatson## 2. Redistributions in binary form must reproduce the above copyright 14219131Srwatson## notice, this list of conditions and the following disclaimer in the 15219131Srwatson## documentation and/or other materials provided with the distribution. 16219131Srwatson## 17219131Srwatson## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18219131Srwatson## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19219131Srwatson## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20219131Srwatson## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21219131Srwatson## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22219131Srwatson## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23219131Srwatson## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24219131Srwatson## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25219131Srwatson## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26219131Srwatson## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27219131Srwatson## SUCH DAMAGE. 28219131Srwatson## 29219131Srwatson## List of system calls enabled in capability mode, one name per line. 30219131Srwatson## 31219131Srwatson## Notes: 32219131Srwatson## - sys_exit(2), abort2(2) and close(2) are very important. 33219131Srwatson## - Sorted alphabetically, please keep it that way. 34219131Srwatson## 35219131Srwatson## $FreeBSD: head/sys/kern/capabilities.conf 247667 2013-03-02 21:11:30Z pjd $ 36219131Srwatson## 37219131Srwatson 38219131Srwatson## 39219131Srwatson## Allow ACL and MAC label operations by file descriptor, subject to 40219131Srwatson## capability rights. Allow MAC label operations on the current process but 41219131Srwatson## we will need to scope __mac_get_pid(2). 42219131Srwatson## 43219131Srwatson__acl_aclcheck_fd 44219131Srwatson__acl_delete_fd 45219131Srwatson__acl_get_fd 46219131Srwatson__acl_set_fd 47219131Srwatson__mac_get_fd 48219131Srwatson#__mac_get_pid 49219131Srwatson__mac_get_proc 50219131Srwatson__mac_set_fd 51219131Srwatson__mac_set_proc 52219131Srwatson 53219131Srwatson## 54219131Srwatson## Allow sysctl(2) as we scope internal to the call; this is a global 55219131Srwatson## namespace, but there are several critical sysctls required for almost 56219131Srwatson## anything to run, such as hw.pagesize. For now that policy lives in the 57219131Srwatson## kernel for performance and simplicity, but perhaps it could move to a 58219131Srwatson## proxying daemon in userspace. 59219131Srwatson## 60219131Srwatson__sysctl 61219131Srwatson 62219131Srwatson## 63219131Srwatson## Allow umtx operations as these are scoped by address space. 64219131Srwatson## 65219131Srwatson## XXRW: Need to check this very carefully. 66219131Srwatson## 67219131Srwatson_umtx_lock 68219131Srwatson_umtx_op 69219131Srwatson_umtx_unlock 70219131Srwatson 71219131Srwatson## 72219131Srwatson## Allow process termination using abort2(2). 73219131Srwatson## 74219131Srwatsonabort2 75219131Srwatson 76219131Srwatson## 77219131Srwatson## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78219131Srwatson## relies on existing bindings on a socket, subject to capability rights. 79219131Srwatson## 80219131Srwatsonaccept 81219131Srwatson 82219131Srwatson## 83219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 84219131Srwatson## 85219131Srwatsonaio_cancel 86219131Srwatsonaio_error 87219131Srwatsonaio_fsync 88219131Srwatsonaio_read 89219131Srwatsonaio_return 90219131Srwatsonaio_suspend 91219131Srwatsonaio_waitcomplete 92219131Srwatsonaio_write 93219131Srwatson 94219131Srwatson## 95219131Srwatson## audit(2) is a global operation, submitting to the global trail, but it is 96219131Srwatson## controlled by privilege, and it might be useful to be able to submit 97219131Srwatson## records from sandboxes. For now, disallow, but we may want to think about 98219131Srwatson## providing some sort of proxy service for this. 99219131Srwatson## 100219131Srwatson#audit 101219131Srwatson 102219131Srwatson## 103247667Spjd## Allow bindat(2). 104219131Srwatson## 105247667Spjdbindat 106219131Srwatson 107219131Srwatson## 108219131Srwatson## Allow capability mode and capability system calls. 109219131Srwatson## 110219131Srwatsoncap_enter 111247602Spjdcap_fcntls_get 112247602Spjdcap_fcntls_limit 113219131Srwatsoncap_getmode 114247602Spjdcap_ioctls_get 115247602Spjdcap_ioctls_limit 116219131Srwatsoncap_new 117247602Spjdcap_rights_get 118247602Spjdcap_rights_limit 119219131Srwatson 120219131Srwatson## 121219131Srwatson## Allow read-only clock operations. 122219131Srwatson## 123219131Srwatsonclock_gettime 124219131Srwatsonclock_getres 125219131Srwatson 126219131Srwatson## 127219131Srwatson## Always allow file descriptor close(2). 128219131Srwatson## 129219131Srwatsonclose 130219131Srwatsonclosefrom 131219131Srwatson 132219131Srwatson## 133247667Spjd## Allow connectat(2). 134219131Srwatson## 135247667Spjdconnectat 136219131Srwatson 137219131Srwatson## 138219131Srwatson## cpuset(2) and related calls require scoping by process, but should 139219131Srwatson## eventually be allowed, at least in the current process case. 140219131Srwatson## 141219131Srwatson#cpuset 142219131Srwatson#cpuset_getaffinity 143219131Srwatson#cpuset_getid 144219131Srwatson#cpuset_setaffinity 145219131Srwatson#cpuset_setid 146219131Srwatson 147219131Srwatson## 148219131Srwatson## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 149219131Srwatson## 150219131Srwatsondup 151219131Srwatsondup2 152219131Srwatson 153219131Srwatson## 154219131Srwatson## Allow extended attribute operations by file descriptor, subject to 155219131Srwatson## capability rights. 156219131Srwatson## 157219131Srwatsonextattr_delete_fd 158219131Srwatsonextattr_get_fd 159219131Srwatsonextattr_list_fd 160219131Srwatsonextattr_set_fd 161219131Srwatson 162219131Srwatson## 163219131Srwatson## Allow changing file flags, mode, and owner by file descriptor, subject to 164219131Srwatson## capability rights. 165219131Srwatson## 166219131Srwatsonfchflags 167219131Srwatsonfchmod 168219131Srwatsonfchown 169219131Srwatson 170219131Srwatson## 171219131Srwatson## For now, allow fcntl(2), subject to capability rights, but this probably 172219131Srwatson## needs additional scoping. 173219131Srwatson## 174219131Srwatsonfcntl 175219131Srwatson 176219131Srwatson## 177219131Srwatson## Allow fexecve(2), subject to capability rights. We perform some scoping, 178219131Srwatson## such as disallowing privilege escalation. 179219131Srwatson## 180219131Srwatsonfexecve 181219131Srwatson 182219131Srwatson## 183219131Srwatson## Allow flock(2), subject to capability rights. 184219131Srwatson## 185219131Srwatsonflock 186219131Srwatson 187219131Srwatson## 188219131Srwatson## Allow fork(2), even though it returns pids -- some applications seem to 189219131Srwatson## prefer this interface. 190219131Srwatson## 191219131Srwatsonfork 192219131Srwatson 193219131Srwatson## 194219131Srwatson## Allow fpathconf(2), subject to capability rights. 195219131Srwatson## 196219131Srwatsonfpathconf 197219131Srwatson 198219131Srwatson## 199219131Srwatson## Allow various file descriptor-based I/O operations, subject to capability 200224852Srwatson## rights. 201219131Srwatson## 202219131Srwatsonfreebsd6_ftruncate 203219131Srwatsonfreebsd6_lseek 204219131Srwatsonfreebsd6_mmap 205219131Srwatsonfreebsd6_pread 206219131Srwatsonfreebsd6_pwrite 207219131Srwatson 208219131Srwatson## 209219131Srwatson## Allow querying file and file system state with fstat(2) and fstatfs(2), 210219131Srwatson## subject to capability rights. 211219131Srwatson## 212219131Srwatsonfstat 213219131Srwatsonfstatfs 214219131Srwatson 215219131Srwatson## 216219131Srwatson## Allow further file descriptor-based I/O operations, subject to capability 217219131Srwatson## rights. 218219131Srwatson## 219219131Srwatsonfsync 220219131Srwatsonftruncate 221219131Srwatson 222219131Srwatson## 223219131Srwatson## Allow futimes(2), subject to capability rights. 224219131Srwatson## 225219131Srwatsonfutimes 226219131Srwatson 227219131Srwatson## 228219131Srwatson## Allow querying process audit state, subject to normal access control. 229219131Srwatson## 230219131Srwatsongetaudit 231219131Srwatsongetaudit_addr 232219131Srwatsongetauid 233219131Srwatson 234219131Srwatson## 235219131Srwatson## Allow thread context management with getcontext(2). 236219131Srwatson## 237219131Srwatsongetcontext 238219131Srwatson 239219131Srwatson## 240219131Srwatson## Allow directory I/O on a file descriptor, subject to capability rights. 241219131Srwatson## Originally we had separate capabilities for directory-specific read 242219131Srwatson## operations, but on BSD we allow reading the raw directory data, so we just 243247602Spjd## rely on CAP_READ now. 244219131Srwatson## 245219131Srwatsongetdents 246219131Srwatsongetdirentries 247219131Srwatson 248219131Srwatson## 249219131Srwatson## Allow querying certain trivial global state. 250219131Srwatson## 251219131Srwatsongetdomainname 252219131Srwatson 253219131Srwatson## 254219131Srwatson## Allow querying current process credential state. 255219131Srwatson## 256219131Srwatsongetegid 257219131Srwatsongeteuid 258219131Srwatson 259219131Srwatson## 260219131Srwatson## Allow querying certain trivial global state. 261219131Srwatson## 262219131Srwatsongethostid 263219131Srwatsongethostname 264219131Srwatson 265219131Srwatson## 266219131Srwatson## Allow querying per-process timer. 267219131Srwatson## 268219131Srwatsongetitimer 269219131Srwatson 270219131Srwatson## 271219131Srwatson## Allow querying current process credential state. 272219131Srwatson## 273219131Srwatsongetgid 274219131Srwatsongetgroups 275219131Srwatsongetlogin 276219131Srwatson 277219131Srwatson## 278219131Srwatson## Allow querying certain trivial global state. 279219131Srwatson## 280219131Srwatsongetpagesize 281219131Srwatsongetpeername 282219131Srwatson 283219131Srwatson## 284219131Srwatson## Allow querying certain per-process scheduling, resource limit, and 285219131Srwatson## credential state. 286219131Srwatson## 287219131Srwatson## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 288219131Srwatson## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 289219131Srwatson## getsid(2) needs scoping. 290219131Srwatson## 291219131Srwatsongetpgid 292219131Srwatsongetpgrp 293219131Srwatsongetpid 294219131Srwatsongetppid 295219131Srwatsongetpriority 296219131Srwatsongetresgid 297219131Srwatsongetresuid 298219131Srwatsongetrlimit 299219131Srwatsongetrusage 300219131Srwatsongetsid 301219131Srwatson 302219131Srwatson## 303219131Srwatson## Allow querying socket state, subject to capability rights. 304219131Srwatson## 305219131Srwatson## XXXRW: getsockopt(2) may need more attention. 306219131Srwatson## 307219131Srwatsongetsockname 308219131Srwatsongetsockopt 309219131Srwatson 310219131Srwatson## 311219131Srwatson## Allow querying the global clock. 312219131Srwatson## 313219131Srwatsongettimeofday 314219131Srwatson 315219131Srwatson## 316219131Srwatson## Allow querying current process credential state. 317219131Srwatson## 318219131Srwatsongetuid 319219131Srwatson 320219131Srwatson## 321247602Spjd## Allow ioctl(2), which hopefully will be limited by applications only to 322247602Spjd## required commands with cap_ioctls_limit(2) syscall. 323219131Srwatson## 324247602Spjdioctl 325219131Srwatson 326219131Srwatson## 327219131Srwatson## Allow querying current process credential state. 328219131Srwatson## 329219131Srwatsonissetugid 330219131Srwatson 331219131Srwatson## 332219131Srwatson## Allow kevent(2), as we will authorize based on capability rights on the 333219131Srwatson## target descriptor. 334219131Srwatson## 335219131Srwatsonkevent 336219131Srwatson 337219131Srwatson## 338243610Spjd## Allow kill(2), as we allow the process to send signals only to himself. 339243610Spjd## 340243610Spjdkill 341243610Spjd 342243610Spjd## 343219131Srwatson## Allow message queue operations on file descriptors, subject to capability 344219131Srwatson## rights. 345219131Srwatson## 346219131Srwatsonkmq_notify 347219131Srwatsonkmq_setattr 348219131Srwatsonkmq_timedreceive 349219131Srwatsonkmq_timedsend 350219131Srwatson 351219131Srwatson## 352219131Srwatson## Allow kqueue(2), we will control use. 353219131Srwatson## 354219131Srwatsonkqueue 355219131Srwatson 356219131Srwatson## 357219131Srwatson## Allow managing per-process timers. 358219131Srwatson## 359219131Srwatsonktimer_create 360219131Srwatsonktimer_delete 361219131Srwatsonktimer_getoverrun 362219131Srwatsonktimer_gettime 363219131Srwatsonktimer_settime 364219131Srwatson 365219131Srwatson## 366219131Srwatson## We can't allow ktrace(2) because it relies on a global namespace, but we 367219131Srwatson## might want to introduce an fktrace(2) of some sort. 368219131Srwatson## 369219131Srwatson#ktrace 370219131Srwatson 371219131Srwatson## 372219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 373219131Srwatson## 374219131Srwatsonlio_listio 375219131Srwatson 376219131Srwatson## 377219131Srwatson## Allow listen(2), subject to capability rights. 378219131Srwatson## 379219131Srwatson## XXXRW: One might argue this manipulates a global namespace. 380219131Srwatson## 381219131Srwatsonlisten 382219131Srwatson 383219131Srwatson## 384219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 385219131Srwatson## 386219131Srwatsonlseek 387219131Srwatson 388219131Srwatson## 389219131Srwatson## Allow MAC label operations by file descriptor, subject to capability 390219131Srwatson## rights. 391219131Srwatson## 392219131Srwatsonmac_get_fd 393219131Srwatsonmac_set_fd 394219131Srwatson 395219131Srwatson## 396219131Srwatson## Allow simple VM operations on the current process. 397219131Srwatson## 398219131Srwatsonmadvise 399219131Srwatsonmincore 400219131Srwatsonminherit 401219131Srwatsonmlock 402219131Srwatsonmlockall 403219131Srwatson 404219131Srwatson## 405219131Srwatson## Allow memory mapping a file descriptor, and updating protections, subject 406219131Srwatson## to capability rights. 407219131Srwatson## 408219131Srwatsonmmap 409219131Srwatsonmprotect 410219131Srwatson 411219131Srwatson## 412219131Srwatson## Allow simple VM operations on the current process. 413219131Srwatson## 414219131Srwatsonmsync 415219131Srwatsonmunlock 416219131Srwatsonmunlockall 417219131Srwatsonmunmap 418219131Srwatson 419219131Srwatson## 420219131Srwatson## Allow the current process to sleep. 421219131Srwatson## 422219131Srwatsonnanosleep 423219131Srwatson 424219131Srwatson## 425219131Srwatson## Allow querying the global clock. 426219131Srwatson## 427219131Srwatsonntp_gettime 428219131Srwatson 429219131Srwatson## 430219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 431219131Srwatson## 432219131Srwatsonoaio_read 433219131Srwatsonoaio_write 434219131Srwatson 435219131Srwatson## 436219131Srwatson## Allow simple VM operations on the current process. 437219131Srwatson## 438219131Srwatsonobreak 439219131Srwatson 440219131Srwatson## 441219131Srwatson## Allow AIO operations by file descriptor, subject to capability rights. 442219131Srwatson## 443219131Srwatsonolio_listio 444219131Srwatson 445219131Srwatson## 446224812Sjonathan## Operations relative to directory capabilities. 447219131Srwatson## 448224812Sjonathanfaccessat 449224812Sjonathanfstatat 450224812Sjonathanfchmodat 451236361Spjdfchownat 452224812Sjonathanfutimesat 453236361Spjdlinkat 454224812Sjonathanmkdirat 455224812Sjonathanmkfifoat 456224812Sjonathanmknodat 457224812Sjonathanopenat 458236361Spjdreadlinkat 459224812Sjonathanrenameat 460236361Spjdsymlinkat 461236361Spjdunlinkat 462219131Srwatson 463219131Srwatson## 464224812Sjonathan## Allow entry into open(2). This system call will fail, since access to the 465224812Sjonathan## global file namespace has been disallowed, but allowing entry into the 466224812Sjonathan## syscall means that an audit trail will be generated (which is also very 467224812Sjonathan## useful for debugging). 468219131Srwatson## 469224812Sjonathanopen 470219131Srwatson 471219131Srwatson## 472219131Srwatson## Allow poll(2), which will be scoped by capability rights. 473219131Srwatson## 474219131Srwatson## XXXRW: Perhaps we don't need the OpenBSD version? 475219131Srwatson## XXXRW: We don't yet do that scoping. 476219131Srwatson## 477219131Srwatsonopenbsd_poll 478219131Srwatson 479219131Srwatson## 480219131Srwatson## Process descriptor-related system calls are allowed. 481219131Srwatson## 482219131Srwatsonpdfork 483219131Srwatsonpdgetpid 484219131Srwatsonpdkill 485224987Sjonathan#pdwait4 # not yet implemented 486219131Srwatson 487219131Srwatson## 488219131Srwatson## Allow pipe(2). 489219131Srwatson## 490219131Srwatsonpipe 491219131Srwatson 492219131Srwatson## 493219131Srwatson## Allow poll(2), which will be scoped by capability rights. 494219131Srwatson## XXXRW: We don't yet do that scoping. 495219131Srwatson## 496219131Srwatsonpoll 497219131Srwatson 498219131Srwatson## 499219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 500219131Srwatson## 501219131Srwatsonpread 502219131Srwatsonpreadv 503219131Srwatson 504219131Srwatson## 505219131Srwatson## Allow access to profiling state on the current process. 506219131Srwatson## 507219131Srwatsonprofil 508219131Srwatson 509219131Srwatson## 510219131Srwatson## Disallow ptrace(2) for now, but we do need debugging facilities in 511219131Srwatson## capability mode, so we will want to revisit this, possibly by scoping its 512219131Srwatson## operation. 513219131Srwatson## 514219131Srwatson#ptrace 515219131Srwatson 516219131Srwatson## 517219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 518219131Srwatson## 519219131Srwatsonpwrite 520219131Srwatsonpwritev 521219131Srwatsonread 522219131Srwatsonreadv 523219131Srwatsonrecv 524219131Srwatsonrecvfrom 525219131Srwatsonrecvmsg 526219131Srwatson 527219131Srwatson## 528219131Srwatson## Allow real-time scheduling primitives to be used. 529219131Srwatson## 530219131Srwatson## XXXRW: These require scoping. 531219131Srwatson## 532219131Srwatsonrtprio 533219131Srwatsonrtprio_thread 534219131Srwatson 535219131Srwatson## 536219131Srwatson## Allow simple VM operations on the current process. 537219131Srwatson## 538219131Srwatsonsbrk 539219131Srwatson 540219131Srwatson## 541219131Srwatson## Allow querying trivial global scheduler state. 542219131Srwatson## 543219131Srwatsonsched_get_priority_max 544219131Srwatsonsched_get_priority_min 545219131Srwatson 546219131Srwatson## 547219131Srwatson## Allow various thread/process scheduler operations. 548219131Srwatson## 549219131Srwatson## XXXRW: Some of these require further scoping. 550219131Srwatson## 551219131Srwatsonsched_getparam 552219131Srwatsonsched_getscheduler 553219131Srwatsonsched_rr_getinterval 554219131Srwatsonsched_setparam 555219131Srwatsonsched_setscheduler 556219131Srwatsonsched_yield 557219131Srwatson 558219131Srwatson## 559219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 560219131Srwatson## 561219131Srwatsonsctp_generic_recvmsg 562219131Srwatsonsctp_generic_sendmsg 563219131Srwatsonsctp_generic_sendmsg_iov 564219131Srwatsonsctp_peeloff 565219131Srwatson 566219131Srwatson## 567219131Srwatson## Allow select(2), which will be scoped by capability rights. 568219131Srwatson## 569219131Srwatson## XXXRW: But is it? 570219131Srwatson## 571219131Srwatsonselect 572219131Srwatson 573219131Srwatson## 574219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. Use of 575219131Srwatson## explicit addresses here is restricted by the system calls themselves. 576219131Srwatson## 577219131Srwatsonsend 578219131Srwatsonsendfile 579219131Srwatsonsendmsg 580219131Srwatsonsendto 581219131Srwatson 582219131Srwatson## 583219131Srwatson## Allow setting per-process audit state, which is controlled separately by 584219131Srwatson## privileges. 585219131Srwatson## 586219131Srwatsonsetaudit 587219131Srwatsonsetaudit_addr 588219131Srwatsonsetauid 589219131Srwatson 590219131Srwatson## 591219131Srwatson## Allow setting thread context. 592219131Srwatson## 593219131Srwatsonsetcontext 594219131Srwatson 595219131Srwatson## 596219131Srwatson## Allow setting current process credential state, which is controlled 597219131Srwatson## separately by privilege. 598219131Srwatson## 599219131Srwatsonsetegid 600219131Srwatsonseteuid 601219131Srwatsonsetgid 602219131Srwatson 603219131Srwatson## 604219131Srwatson## Allow use of the process interval timer. 605219131Srwatson## 606219131Srwatsonsetitimer 607219131Srwatson 608219131Srwatson## 609219131Srwatson## Allow setpriority(2). 610219131Srwatson## 611219131Srwatson## XXXRW: Requires scoping. 612219131Srwatson## 613219131Srwatsonsetpriority 614219131Srwatson 615219131Srwatson## 616219131Srwatson## Allow setting current process credential state, which is controlled 617219131Srwatson## separately by privilege. 618219131Srwatson## 619219131Srwatsonsetregid 620219131Srwatsonsetresgid 621219131Srwatsonsetresuid 622219131Srwatsonsetreuid 623219131Srwatson 624219131Srwatson## 625219131Srwatson## Allow setting process resource limits with setrlimit(2). 626219131Srwatson## 627219131Srwatsonsetrlimit 628219131Srwatson 629219131Srwatson## 630219131Srwatson## Allow creating a new session with setsid(2). 631219131Srwatson## 632219131Srwatsonsetsid 633219131Srwatson 634219131Srwatson## 635219131Srwatson## Allow setting socket options with setsockopt(2), subject to capability 636219131Srwatson## rights. 637219131Srwatson## 638219131Srwatson## XXXRW: Might require scoping. 639219131Srwatson## 640219131Srwatsonsetsockopt 641219131Srwatson 642219131Srwatson## 643219131Srwatson## Allow setting current process credential state, which is controlled 644219131Srwatson## separately by privilege. 645219131Srwatson## 646219131Srwatsonsetuid 647219131Srwatson 648219131Srwatson## 649224812Sjonathan## shm_open(2) is scoped so as to allow only access to new anonymous objects. 650219131Srwatson## 651224812Sjonathanshm_open 652219131Srwatson 653219131Srwatson## 654219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 655219131Srwatson## 656219131Srwatsonshutdown 657219131Srwatson 658219131Srwatson## 659219131Srwatson## Allow signal control on current process. 660219131Srwatson## 661219131Srwatsonsigaction 662219131Srwatsonsigaltstack 663219131Srwatsonsigblock 664219131Srwatsonsigpending 665219131Srwatsonsigprocmask 666219131Srwatsonsigqueue 667219131Srwatsonsigreturn 668219131Srwatsonsigsetmask 669219131Srwatsonsigstack 670219131Srwatsonsigsuspend 671219131Srwatsonsigtimedwait 672219131Srwatsonsigvec 673219131Srwatsonsigwaitinfo 674219131Srwatson 675219131Srwatson## 676219131Srwatson## Allow creating new socket pairs with socket(2) and socketpair(2). 677219131Srwatson## 678219131Srwatsonsocket 679219131Srwatsonsocketpair 680219131Srwatson 681219131Srwatson## 682219131Srwatson## Allow simple VM operations on the current process. 683219131Srwatson## 684219131Srwatson## XXXRW: Kernel doesn't implement this, so drop? 685219131Srwatson## 686219131Srwatsonsstk 687219131Srwatson 688219131Srwatson## 689219131Srwatson## Do allow sync(2) for now, but possibly shouldn't. 690219131Srwatson## 691219131Srwatsonsync 692219131Srwatson 693219131Srwatson## 694219131Srwatson## Always allow process termination with sys_exit(2). 695219131Srwatson## 696219131Srwatsonsys_exit 697219131Srwatson 698219131Srwatson## 699219131Srwatson## sysarch(2) does rather diverse things, but is required on at least i386 700219131Srwatson## in order to configure per-thread data. As such, it's scoped on each 701219131Srwatson## architecture. 702219131Srwatson## 703219131Srwatsonsysarch 704219131Srwatson 705219131Srwatson## 706219131Srwatson## Allow thread operations operating only on current process. 707219131Srwatson## 708219131Srwatsonthr_create 709219131Srwatsonthr_exit 710219131Srwatsonthr_kill 711219131Srwatson 712219131Srwatson## 713219131Srwatson## Disallow thr_kill2(2), as it may operate beyond the current process. 714219131Srwatson## 715219131Srwatson## XXXRW: Requires scoping. 716219131Srwatson## 717219131Srwatson#thr_kill2 718219131Srwatson 719219131Srwatson## 720219131Srwatson## Allow thread operations operating only on current process. 721219131Srwatson## 722219131Srwatsonthr_new 723219131Srwatsonthr_self 724219131Srwatsonthr_set_name 725219131Srwatsonthr_suspend 726219131Srwatsonthr_wake 727219131Srwatson 728219131Srwatson## 729219131Srwatson## Allow manipulation of the current process umask with umask(2). 730219131Srwatson## 731219131Srwatsonumask 732219131Srwatson 733219131Srwatson## 734219131Srwatson## Allow submitting of process trace entries with utrace(2). 735219131Srwatson## 736219131Srwatsonutrace 737219131Srwatson 738219131Srwatson## 739219131Srwatson## Allow generating UUIDs with uuidgen(2). 740219131Srwatson## 741219131Srwatsonuuidgen 742219131Srwatson 743219131Srwatson## 744219131Srwatson## Allow I/O-related file descriptors, subject to capability rights. 745219131Srwatson## 746219131Srwatsonwrite 747219131Srwatsonwritev 748219131Srwatson 749219131Srwatson## 750219131Srwatson## Allow processes to yield(2). 751219131Srwatson## 752219131Srwatsonyield 753