1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## Notes: 32## - sys_exit(2), abort2(2) and close(2) are very important. 33## - Sorted alphabetically, please keep it that way. 34## 35## $FreeBSD: releng/11.0/sys/kern/capabilities.conf 304525 2016-08-20 11:59:19Z bdrewery $ 36## 37 38## 39## Allow ACL and MAC label operations by file descriptor, subject to 40## capability rights. Allow MAC label operations on the current process but 41## we will need to scope __mac_get_pid(2). 42## 43__acl_aclcheck_fd 44__acl_delete_fd 45__acl_get_fd 46__acl_set_fd 47__mac_get_fd 48#__mac_get_pid 49__mac_get_proc 50__mac_set_fd 51__mac_set_proc 52 53## 54## Allow sysctl(2) as we scope internal to the call; this is a global 55## namespace, but there are several critical sysctls required for almost 56## anything to run, such as hw.pagesize. For now that policy lives in the 57## kernel for performance and simplicity, but perhaps it could move to a 58## proxying daemon in userspace. 59## 60__sysctl 61 62## 63## Allow umtx operations as these are scoped by address space. 64## 65## XXRW: Need to check this very carefully. 66## 67_umtx_op 68 69## 70## Allow process termination using abort2(2). 71## 72abort2 73 74## 75## Allow accept(2) since it doesn't manipulate namespaces directly, rather 76## relies on existing bindings on a socket, subject to capability rights. 77## 78accept 79accept4 80 81## 82## Allow AIO operations by file descriptor, subject to capability rights. 83## 84aio_cancel 85aio_error 86aio_fsync 87aio_read 88aio_return 89aio_suspend 90aio_waitcomplete 91aio_write 92 93## 94## audit(2) is a global operation, submitting to the global trail, but it is 95## controlled by privilege, and it might be useful to be able to submit 96## records from sandboxes. For now, disallow, but we may want to think about 97## providing some sort of proxy service for this. 98## 99#audit 100 101## 102## Allow bindat(2). 103## 104bindat 105 106## 107## Allow capability mode and capability system calls. 108## 109cap_enter 110cap_fcntls_get 111cap_fcntls_limit 112cap_getmode 113cap_ioctls_get 114cap_ioctls_limit 115__cap_rights_get 116cap_rights_limit 117 118## 119## Allow read-only clock operations. 120## 121clock_getres 122clock_gettime 123 124## 125## Always allow file descriptor close(2). 126## 127close 128closefrom 129 130## 131## Allow connectat(2). 132## 133connectat 134 135## 136## cpuset(2) and related calls require scoping by process, but should 137## eventually be allowed, at least in the current process case. 138## 139#cpuset 140#cpuset_getaffinity 141#cpuset_getid 142#cpuset_setaffinity 143#cpuset_setid 144 145## 146## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 147## 148dup 149dup2 150 151## 152## Allow extended attribute operations by file descriptor, subject to 153## capability rights. 154## 155extattr_delete_fd 156extattr_get_fd 157extattr_list_fd 158extattr_set_fd 159 160## 161## Allow changing file flags, mode, and owner by file descriptor, subject to 162## capability rights. 163## 164fchflags 165fchmod 166fchown 167 168## 169## For now, allow fcntl(2), subject to capability rights, but this probably 170## needs additional scoping. 171## 172fcntl 173 174## 175## Allow fexecve(2), subject to capability rights. We perform some scoping, 176## such as disallowing privilege escalation. 177## 178fexecve 179 180## 181## Allow flock(2), subject to capability rights. 182## 183flock 184 185## 186## Allow fork(2), even though it returns pids -- some applications seem to 187## prefer this interface. 188## 189fork 190 191## 192## Allow fpathconf(2), subject to capability rights. 193## 194fpathconf 195 196## 197## Allow various file descriptor-based I/O operations, subject to capability 198## rights. 199## 200freebsd6_ftruncate 201freebsd6_lseek 202freebsd6_mmap 203freebsd6_pread 204freebsd6_pwrite 205 206## 207## Allow querying file and file system state with fstat(2) and fstatfs(2), 208## subject to capability rights. 209## 210fstat 211fstatfs 212 213## 214## Allow further file descriptor-based I/O operations, subject to capability 215## rights. 216## 217fsync 218ftruncate 219 220## 221## Allow futimens(2) and futimes(2), subject to capability rights. 222## 223futimens 224futimes 225 226## 227## Allow querying process audit state, subject to normal access control. 228## 229getaudit 230getaudit_addr 231getauid 232 233## 234## Allow thread context management with getcontext(2). 235## 236getcontext 237 238## 239## Allow directory I/O on a file descriptor, subject to capability rights. 240## Originally we had separate capabilities for directory-specific read 241## operations, but on BSD we allow reading the raw directory data, so we just 242## rely on CAP_READ now. 243## 244getdents 245getdirentries 246 247## 248## Allow querying certain trivial global state. 249## 250getdomainname 251 252## 253## Allow querying current process credential state. 254## 255getegid 256geteuid 257 258## 259## Allow querying certain trivial global state. 260## 261gethostid 262gethostname 263 264## 265## Allow querying per-process timer. 266## 267getitimer 268 269## 270## Allow querying current process credential state. 271## 272getgid 273getgroups 274getlogin 275 276## 277## Allow querying certain trivial global state. 278## 279getpagesize 280getpeername 281 282## 283## Allow querying certain per-process scheduling, resource limit, and 284## credential state. 285## 286## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 287## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 288## getsid(2) needs scoping. 289## 290getpgid 291getpgrp 292getpid 293getppid 294getpriority 295getresgid 296getresuid 297getrlimit 298getrusage 299getsid 300 301## 302## Allow querying socket state, subject to capability rights. 303## 304## XXXRW: getsockopt(2) may need more attention. 305## 306getsockname 307getsockopt 308 309## 310## Allow querying the global clock. 311## 312gettimeofday 313 314## 315## Allow querying current process credential state. 316## 317getuid 318 319## 320## Allow ioctl(2), which hopefully will be limited by applications only to 321## required commands with cap_ioctls_limit(2) syscall. 322## 323ioctl 324 325## 326## Allow querying current process credential state. 327## 328issetugid 329 330## 331## Allow kevent(2), as we will authorize based on capability rights on the 332## target descriptor. 333## 334kevent 335 336## 337## Allow kill(2), as we allow the process to send signals only to himself. 338## 339kill 340 341## 342## Allow message queue operations on file descriptors, subject to capability 343## rights. 344## 345kmq_notify 346kmq_setattr 347kmq_timedreceive 348kmq_timedsend 349 350## 351## Allow kqueue(2), we will control use. 352## 353kqueue 354 355## 356## Allow managing per-process timers. 357## 358ktimer_create 359ktimer_delete 360ktimer_getoverrun 361ktimer_gettime 362ktimer_settime 363 364## 365## We can't allow ktrace(2) because it relies on a global namespace, but we 366## might want to introduce an fktrace(2) of some sort. 367## 368#ktrace 369 370## 371## Allow AIO operations by file descriptor, subject to capability rights. 372## 373lio_listio 374 375## 376## Allow listen(2), subject to capability rights. 377## 378## XXXRW: One might argue this manipulates a global namespace. 379## 380listen 381 382## 383## Allow I/O-related file descriptors, subject to capability rights. 384## 385lseek 386 387## 388## Allow simple VM operations on the current process. 389## 390madvise 391mincore 392minherit 393mlock 394mlockall 395 396## 397## Allow memory mapping a file descriptor, and updating protections, subject 398## to capability rights. 399## 400mmap 401mprotect 402 403## 404## Allow simple VM operations on the current process. 405## 406msync 407munlock 408munlockall 409munmap 410 411## 412## Allow the current process to sleep. 413## 414nanosleep 415 416## 417## Allow querying the global clock. 418## 419ntp_gettime 420 421## 422## Allow AIO operations by file descriptor, subject to capability rights. 423## 424oaio_read 425oaio_write 426 427## 428## Allow simple VM operations on the current process. 429## 430obreak 431 432## 433## Allow AIO operations by file descriptor, subject to capability rights. 434## 435olio_listio 436 437## 438## Operations relative to directory capabilities. 439## 440chflagsat 441faccessat 442fchmodat 443fchownat 444fstatat 445futimesat 446linkat 447mkdirat 448mkfifoat 449mknodat 450openat 451readlinkat 452renameat 453symlinkat 454unlinkat 455utimensat 456 457## 458## Allow entry into open(2). This system call will fail, since access to the 459## global file namespace has been disallowed, but allowing entry into the 460## syscall means that an audit trail will be generated (which is also very 461## useful for debugging). 462## 463open 464 465## 466## Allow poll(2), which will be scoped by capability rights. 467## 468## XXXRW: Perhaps we don't need the OpenBSD version? 469## XXXRW: We don't yet do that scoping. 470## 471openbsd_poll 472 473## 474## Process descriptor-related system calls are allowed. 475## 476pdfork 477pdgetpid 478pdkill 479#pdwait4 # not yet implemented 480 481## 482## Allow pipe(2). 483## 484pipe 485pipe2 486 487## 488## Allow poll(2), which will be scoped by capability rights. 489## XXXRW: We don't yet do that scoping. 490## 491poll 492 493## 494## Allow I/O-related file descriptors, subject to capability rights. 495## 496pread 497preadv 498 499## 500## Allow access to profiling state on the current process. 501## 502profil 503 504## 505## Disallow ptrace(2) for now, but we do need debugging facilities in 506## capability mode, so we will want to revisit this, possibly by scoping its 507## operation. 508## 509#ptrace 510 511## 512## Allow I/O-related file descriptors, subject to capability rights. 513## 514pwrite 515pwritev 516read 517readv 518recv 519recvfrom 520recvmsg 521 522## 523## Allow real-time scheduling primitives to be used. 524## 525## XXXRW: These require scoping. 526## 527rtprio 528rtprio_thread 529 530## 531## Allow simple VM operations on the current process. 532## 533sbrk 534 535## 536## Allow querying trivial global scheduler state. 537## 538sched_get_priority_max 539sched_get_priority_min 540 541## 542## Allow various thread/process scheduler operations. 543## 544## XXXRW: Some of these require further scoping. 545## 546sched_getparam 547sched_getscheduler 548sched_rr_get_interval 549sched_setparam 550sched_setscheduler 551sched_yield 552 553## 554## Allow I/O-related file descriptors, subject to capability rights. 555## 556sctp_generic_recvmsg 557sctp_generic_sendmsg 558sctp_generic_sendmsg_iov 559sctp_peeloff 560 561## 562## Allow pselect(2) and select(2), which will be scoped by capability rights. 563## 564## XXXRW: But is it? 565## 566pselect 567select 568 569## 570## Allow I/O-related file descriptors, subject to capability rights. Use of 571## explicit addresses here is restricted by the system calls themselves. 572## 573send 574sendfile 575sendmsg 576sendto 577 578## 579## Allow setting per-process audit state, which is controlled separately by 580## privileges. 581## 582setaudit 583setaudit_addr 584setauid 585 586## 587## Allow setting thread context. 588## 589setcontext 590 591## 592## Allow setting current process credential state, which is controlled 593## separately by privilege. 594## 595setegid 596seteuid 597setgid 598 599## 600## Allow use of the process interval timer. 601## 602setitimer 603 604## 605## Allow setpriority(2). 606## 607## XXXRW: Requires scoping. 608## 609setpriority 610 611## 612## Allow setting current process credential state, which is controlled 613## separately by privilege. 614## 615setregid 616setresgid 617setresuid 618setreuid 619 620## 621## Allow setting process resource limits with setrlimit(2). 622## 623setrlimit 624 625## 626## Allow creating a new session with setsid(2). 627## 628setsid 629 630## 631## Allow setting socket options with setsockopt(2), subject to capability 632## rights. 633## 634## XXXRW: Might require scoping. 635## 636setsockopt 637 638## 639## Allow setting current process credential state, which is controlled 640## separately by privilege. 641## 642setuid 643 644## 645## shm_open(2) is scoped so as to allow only access to new anonymous objects. 646## 647shm_open 648 649## 650## Allow I/O-related file descriptors, subject to capability rights. 651## 652shutdown 653 654## 655## Allow signal control on current process. 656## 657sigaction 658sigaltstack 659sigblock 660sigpending 661sigprocmask 662sigqueue 663sigreturn 664sigsetmask 665sigstack 666sigsuspend 667sigtimedwait 668sigvec 669sigwaitinfo 670sigwait 671 672## 673## Allow creating new socket pairs with socket(2) and socketpair(2). 674## 675socket 676socketpair 677 678## 679## Allow simple VM operations on the current process. 680## 681## XXXRW: Kernel doesn't implement this, so drop? 682## 683sstk 684 685## 686## Do allow sync(2) for now, but possibly shouldn't. 687## 688sync 689 690## 691## Always allow process termination with sys_exit(2). 692## 693sys_exit 694 695## 696## sysarch(2) does rather diverse things, but is required on at least i386 697## in order to configure per-thread data. As such, it's scoped on each 698## architecture. 699## 700sysarch 701 702## 703## Allow thread operations operating only on current process. 704## 705thr_create 706thr_exit 707thr_kill 708 709## 710## Disallow thr_kill2(2), as it may operate beyond the current process. 711## 712## XXXRW: Requires scoping. 713## 714#thr_kill2 715 716## 717## Allow thread operations operating only on current process. 718## 719thr_new 720thr_self 721thr_set_name 722thr_suspend 723thr_wake 724 725## 726## Allow manipulation of the current process umask with umask(2). 727## 728umask 729 730## 731## Allow submitting of process trace entries with utrace(2). 732## 733utrace 734 735## 736## Allow generating UUIDs with uuidgen(2). 737## 738uuidgen 739 740## 741## Allow I/O-related file descriptors, subject to capability rights. 742## 743write 744writev 745 746## 747## Allow processes to yield(2). 748## 749yield 750