1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## Notes:
32## - sys_exit(2), abort2(2) and close(2) are very important.
33## - Sorted alphabetically, please keep it that way.
34##
35## $FreeBSD: releng/11.0/sys/kern/capabilities.conf 304525 2016-08-20 11:59:19Z bdrewery $
36##
37
38##
39## Allow ACL and MAC label operations by file descriptor, subject to
40## capability rights.  Allow MAC label operations on the current process but
41## we will need to scope __mac_get_pid(2).
42##
43__acl_aclcheck_fd
44__acl_delete_fd
45__acl_get_fd
46__acl_set_fd
47__mac_get_fd
48#__mac_get_pid
49__mac_get_proc
50__mac_set_fd
51__mac_set_proc
52
53##
54## Allow sysctl(2) as we scope internal to the call; this is a global
55## namespace, but there are several critical sysctls required for almost
56## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_op
68
69##
70## Allow process termination using abort2(2).
71##
72abort2
73
74##
75## Allow accept(2) since it doesn't manipulate namespaces directly, rather
76## relies on existing bindings on a socket, subject to capability rights.
77##
78accept
79accept4
80
81##
82## Allow AIO operations by file descriptor, subject to capability rights.
83##
84aio_cancel
85aio_error
86aio_fsync
87aio_read
88aio_return
89aio_suspend
90aio_waitcomplete
91aio_write
92
93##
94## audit(2) is a global operation, submitting to the global trail, but it is
95## controlled by privilege, and it might be useful to be able to submit
96## records from sandboxes.  For now, disallow, but we may want to think about
97## providing some sort of proxy service for this.
98##
99#audit
100
101##
102## Allow bindat(2).
103##
104bindat
105
106##
107## Allow capability mode and capability system calls.
108##
109cap_enter
110cap_fcntls_get
111cap_fcntls_limit
112cap_getmode
113cap_ioctls_get
114cap_ioctls_limit
115__cap_rights_get
116cap_rights_limit
117
118##
119## Allow read-only clock operations.
120##
121clock_getres
122clock_gettime
123
124##
125## Always allow file descriptor close(2).
126##
127close
128closefrom
129
130##
131## Allow connectat(2).
132##
133connectat
134
135##
136## cpuset(2) and related calls require scoping by process, but should
137## eventually be allowed, at least in the current process case.
138##
139#cpuset
140#cpuset_getaffinity
141#cpuset_getid
142#cpuset_setaffinity
143#cpuset_setid
144
145##
146## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
147##
148dup
149dup2
150
151##
152## Allow extended attribute operations by file descriptor, subject to
153## capability rights.
154##
155extattr_delete_fd
156extattr_get_fd
157extattr_list_fd
158extattr_set_fd
159
160##
161## Allow changing file flags, mode, and owner by file descriptor, subject to
162## capability rights.
163##
164fchflags
165fchmod
166fchown
167
168##
169## For now, allow fcntl(2), subject to capability rights, but this probably
170## needs additional scoping.
171##
172fcntl
173
174##
175## Allow fexecve(2), subject to capability rights.  We perform some scoping,
176## such as disallowing privilege escalation.
177##
178fexecve
179
180##
181## Allow flock(2), subject to capability rights.
182##
183flock
184
185##
186## Allow fork(2), even though it returns pids -- some applications seem to
187## prefer this interface.
188##
189fork
190
191##
192## Allow fpathconf(2), subject to capability rights.
193##
194fpathconf
195
196##
197## Allow various file descriptor-based I/O operations, subject to capability
198## rights.
199##
200freebsd6_ftruncate
201freebsd6_lseek
202freebsd6_mmap
203freebsd6_pread
204freebsd6_pwrite
205
206##
207## Allow querying file and file system state with fstat(2) and fstatfs(2),
208## subject to capability rights.
209##
210fstat
211fstatfs
212
213##
214## Allow further file descriptor-based I/O operations, subject to capability
215## rights.
216##
217fsync
218ftruncate
219
220##
221## Allow futimens(2) and futimes(2), subject to capability rights.
222##
223futimens
224futimes
225
226##
227## Allow querying process audit state, subject to normal access control.
228##
229getaudit
230getaudit_addr
231getauid
232
233##
234## Allow thread context management with getcontext(2).
235##
236getcontext
237
238##
239## Allow directory I/O on a file descriptor, subject to capability rights.
240## Originally we had separate capabilities for directory-specific read
241## operations, but on BSD we allow reading the raw directory data, so we just
242## rely on CAP_READ now.
243##
244getdents
245getdirentries
246
247##
248## Allow querying certain trivial global state.
249##
250getdomainname
251
252##
253## Allow querying current process credential state.
254##
255getegid
256geteuid
257
258##
259## Allow querying certain trivial global state.
260##
261gethostid
262gethostname
263
264##
265## Allow querying per-process timer.
266##
267getitimer
268
269##
270## Allow querying current process credential state.
271##
272getgid
273getgroups
274getlogin
275
276##
277## Allow querying certain trivial global state.
278##
279getpagesize
280getpeername
281
282##
283## Allow querying certain per-process scheduling, resource limit, and
284## credential state.
285##
286## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
287## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
288## getsid(2) needs scoping.
289##
290getpgid
291getpgrp
292getpid
293getppid
294getpriority
295getresgid
296getresuid
297getrlimit
298getrusage
299getsid
300
301##
302## Allow querying socket state, subject to capability rights.
303##
304## XXXRW: getsockopt(2) may need more attention.
305##
306getsockname
307getsockopt
308
309##
310## Allow querying the global clock.
311##
312gettimeofday
313
314##
315## Allow querying current process credential state.
316##
317getuid
318
319##
320## Allow ioctl(2), which hopefully will be limited by applications only to
321## required commands with cap_ioctls_limit(2) syscall.
322##
323ioctl
324
325##
326## Allow querying current process credential state.
327##
328issetugid
329
330##
331## Allow kevent(2), as we will authorize based on capability rights on the
332## target descriptor.
333##
334kevent
335
336##
337## Allow kill(2), as we allow the process to send signals only to himself.
338##
339kill
340
341##
342## Allow message queue operations on file descriptors, subject to capability
343## rights.
344##
345kmq_notify
346kmq_setattr
347kmq_timedreceive
348kmq_timedsend
349
350##
351## Allow kqueue(2), we will control use.
352##
353kqueue
354
355##
356## Allow managing per-process timers.
357##
358ktimer_create
359ktimer_delete
360ktimer_getoverrun
361ktimer_gettime
362ktimer_settime
363
364##
365## We can't allow ktrace(2) because it relies on a global namespace, but we
366## might want to introduce an fktrace(2) of some sort.
367##
368#ktrace
369
370##
371## Allow AIO operations by file descriptor, subject to capability rights.
372##
373lio_listio
374
375##
376## Allow listen(2), subject to capability rights.
377##
378## XXXRW: One might argue this manipulates a global namespace.
379##
380listen
381
382##
383## Allow I/O-related file descriptors, subject to capability rights.
384##
385lseek
386
387##
388## Allow simple VM operations on the current process.
389##
390madvise
391mincore
392minherit
393mlock
394mlockall
395
396##
397## Allow memory mapping a file descriptor, and updating protections, subject
398## to capability rights.
399##
400mmap
401mprotect
402
403##
404## Allow simple VM operations on the current process.
405##
406msync
407munlock
408munlockall
409munmap
410
411##
412## Allow the current process to sleep.
413##
414nanosleep
415
416##
417## Allow querying the global clock.
418##
419ntp_gettime
420
421##
422## Allow AIO operations by file descriptor, subject to capability rights.
423##
424oaio_read
425oaio_write
426
427##
428## Allow simple VM operations on the current process.
429##
430obreak
431
432##
433## Allow AIO operations by file descriptor, subject to capability rights.
434##
435olio_listio
436
437##
438## Operations relative to directory capabilities.
439##
440chflagsat
441faccessat
442fchmodat
443fchownat
444fstatat
445futimesat
446linkat
447mkdirat
448mkfifoat
449mknodat
450openat
451readlinkat
452renameat
453symlinkat
454unlinkat
455utimensat
456
457##
458## Allow entry into open(2). This system call will fail, since access to the
459## global file namespace has been disallowed, but allowing entry into the
460## syscall means that an audit trail will be generated (which is also very
461## useful for debugging).
462##
463open
464
465##
466## Allow poll(2), which will be scoped by capability rights.
467##
468## XXXRW: Perhaps we don't need the OpenBSD version?
469## XXXRW: We don't yet do that scoping.
470##
471openbsd_poll
472
473##
474## Process descriptor-related system calls are allowed.
475##
476pdfork
477pdgetpid
478pdkill
479#pdwait4	# not yet implemented
480
481##
482## Allow pipe(2).
483##
484pipe
485pipe2
486
487##
488## Allow poll(2), which will be scoped by capability rights.
489## XXXRW: We don't yet do that scoping.
490##
491poll
492
493##
494## Allow I/O-related file descriptors, subject to capability rights.
495##
496pread
497preadv
498
499##
500## Allow access to profiling state on the current process.
501##
502profil
503
504##
505## Disallow ptrace(2) for now, but we do need debugging facilities in
506## capability mode, so we will want to revisit this, possibly by scoping its
507## operation.
508##
509#ptrace
510
511##
512## Allow I/O-related file descriptors, subject to capability rights.
513##
514pwrite
515pwritev
516read
517readv
518recv
519recvfrom
520recvmsg
521
522##
523## Allow real-time scheduling primitives to be used.
524##
525## XXXRW: These require scoping.
526##
527rtprio
528rtprio_thread
529
530##
531## Allow simple VM operations on the current process.
532##
533sbrk
534
535##
536## Allow querying trivial global scheduler state.
537##
538sched_get_priority_max
539sched_get_priority_min
540
541##
542## Allow various thread/process scheduler operations.
543##
544## XXXRW: Some of these require further scoping.
545##
546sched_getparam
547sched_getscheduler
548sched_rr_get_interval
549sched_setparam
550sched_setscheduler
551sched_yield
552
553##
554## Allow I/O-related file descriptors, subject to capability rights.
555##
556sctp_generic_recvmsg
557sctp_generic_sendmsg
558sctp_generic_sendmsg_iov
559sctp_peeloff
560
561##
562## Allow pselect(2) and select(2), which will be scoped by capability rights.
563##
564## XXXRW: But is it?
565##
566pselect
567select
568
569##
570## Allow I/O-related file descriptors, subject to capability rights.  Use of
571## explicit addresses here is restricted by the system calls themselves.
572##
573send
574sendfile
575sendmsg
576sendto
577
578##
579## Allow setting per-process audit state, which is controlled separately by
580## privileges.
581##
582setaudit
583setaudit_addr
584setauid
585
586##
587## Allow setting thread context.
588##
589setcontext
590
591##
592## Allow setting current process credential state, which is controlled
593## separately by privilege.
594##
595setegid
596seteuid
597setgid
598
599##
600## Allow use of the process interval timer.
601##
602setitimer
603
604##
605## Allow setpriority(2).
606##
607## XXXRW: Requires scoping.
608##
609setpriority
610
611##
612## Allow setting current process credential state, which is controlled
613## separately by privilege.
614##
615setregid
616setresgid
617setresuid
618setreuid
619
620##
621## Allow setting process resource limits with setrlimit(2).
622##
623setrlimit
624
625##
626## Allow creating a new session with setsid(2).
627##
628setsid
629
630##
631## Allow setting socket options with setsockopt(2), subject to capability
632## rights.
633##
634## XXXRW: Might require scoping.
635##
636setsockopt
637
638##
639## Allow setting current process credential state, which is controlled
640## separately by privilege.
641##
642setuid
643
644##
645## shm_open(2) is scoped so as to allow only access to new anonymous objects.
646##
647shm_open
648
649##
650## Allow I/O-related file descriptors, subject to capability rights.
651##
652shutdown
653
654##
655## Allow signal control on current process.
656##
657sigaction
658sigaltstack
659sigblock
660sigpending
661sigprocmask
662sigqueue
663sigreturn
664sigsetmask
665sigstack
666sigsuspend
667sigtimedwait
668sigvec
669sigwaitinfo
670sigwait
671
672##
673## Allow creating new socket pairs with socket(2) and socketpair(2).
674##
675socket
676socketpair
677
678##
679## Allow simple VM operations on the current process.
680##
681## XXXRW: Kernel doesn't implement this, so drop?
682##
683sstk
684
685##
686## Do allow sync(2) for now, but possibly shouldn't.
687##
688sync
689
690##
691## Always allow process termination with sys_exit(2).
692##
693sys_exit
694
695##
696## sysarch(2) does rather diverse things, but is required on at least i386
697## in order to configure per-thread data.  As such, it's scoped on each
698## architecture.
699##
700sysarch
701
702##
703## Allow thread operations operating only on current process.
704##
705thr_create
706thr_exit
707thr_kill
708
709##
710## Disallow thr_kill2(2), as it may operate beyond the current process.
711##
712## XXXRW: Requires scoping.
713##
714#thr_kill2
715
716##
717## Allow thread operations operating only on current process.
718##
719thr_new
720thr_self
721thr_set_name
722thr_suspend
723thr_wake
724
725##
726## Allow manipulation of the current process umask with umask(2).
727##
728umask
729
730##
731## Allow submitting of process trace entries with utrace(2).
732##
733utrace
734
735##
736## Allow generating UUIDs with uuidgen(2).
737##
738uuidgen
739
740##
741## Allow I/O-related file descriptors, subject to capability rights.
742##
743write
744writev
745
746##
747## Allow processes to yield(2).
748##
749yield
750