1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## Notes: 32## - sys_exit(2), abort2(2) and close(2) are very important. 33## - Sorted alphabetically, please keep it that way. 34## 35## $FreeBSD$ 36## 37 38## 39## Allow ACL and MAC label operations by file descriptor, subject to 40## capability rights. Allow MAC label operations on the current process but 41## we will need to scope __mac_get_pid(2). 42## 43__acl_aclcheck_fd 44__acl_delete_fd 45__acl_get_fd 46__acl_set_fd 47__mac_get_fd 48#__mac_get_pid 49__mac_get_proc 50__mac_set_fd 51__mac_set_proc 52 53## 54## Allow sysctl(2) as we scope internal to the call; this is a global 55## namespace, but there are several critical sysctls required for almost 56## anything to run, such as hw.pagesize. For now that policy lives in the 57## kernel for performance and simplicity, but perhaps it could move to a 58## proxying daemon in userspace. 59## 60__sysctl 61 62## 63## Allow umtx operations as these are scoped by address space. 64## 65## XXRW: Need to check this very carefully. 66## 67_umtx_lock 68_umtx_op 69_umtx_unlock 70 71## 72## Allow process termination using abort2(2). 73## 74abort2 75 76## 77## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78## relies on existing bindings on a socket, subject to capability rights. 79## 80accept 81accept4 82 83## 84## Allow AIO operations by file descriptor, subject to capability rights. 85## 86aio_cancel 87aio_error 88aio_fsync 89aio_read 90aio_return 91aio_suspend 92aio_waitcomplete 93aio_write 94 95## 96## audit(2) is a global operation, submitting to the global trail, but it is 97## controlled by privilege, and it might be useful to be able to submit 98## records from sandboxes. For now, disallow, but we may want to think about 99## providing some sort of proxy service for this. 100## 101#audit 102 103## 104## Allow bindat(2). 105## 106bindat 107 108## 109## Allow capability mode and capability system calls. 110## 111cap_enter 112cap_fcntls_get 113cap_fcntls_limit 114cap_getmode 115cap_ioctls_get 116cap_ioctls_limit 117__cap_rights_get 118cap_rights_limit 119 120## 121## Allow read-only clock operations. 122## 123clock_getres 124clock_gettime 125 126## 127## Always allow file descriptor close(2). 128## 129close 130closefrom 131 132## 133## Allow connectat(2). 134## 135connectat 136 137## 138## cpuset(2) and related calls require scoping by process, but should 139## eventually be allowed, at least in the current process case. 140## 141#cpuset 142#cpuset_getaffinity 143#cpuset_getid 144#cpuset_setaffinity 145#cpuset_setid 146 147## 148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 149## 150dup 151dup2 152 153## 154## Allow extended attribute operations by file descriptor, subject to 155## capability rights. 156## 157extattr_delete_fd 158extattr_get_fd 159extattr_list_fd 160extattr_set_fd 161 162## 163## Allow changing file flags, mode, and owner by file descriptor, subject to 164## capability rights. 165## 166fchflags 167fchmod 168fchown 169 170## 171## For now, allow fcntl(2), subject to capability rights, but this probably 172## needs additional scoping. 173## 174fcntl 175 176## 177## Allow fexecve(2), subject to capability rights. We perform some scoping, 178## such as disallowing privilege escalation. 179## 180fexecve 181 182## 183## Allow flock(2), subject to capability rights. 184## 185flock 186 187## 188## Allow fork(2), even though it returns pids -- some applications seem to 189## prefer this interface. 190## 191fork 192 193## 194## Allow fpathconf(2), subject to capability rights. 195## 196fpathconf 197 198## 199## Allow various file descriptor-based I/O operations, subject to capability 200## rights. 201## 202freebsd6_ftruncate 203freebsd6_lseek 204freebsd6_mmap 205freebsd6_pread 206freebsd6_pwrite 207 208## 209## Allow querying file and file system state with fstat(2) and fstatfs(2), 210## subject to capability rights. 211## 212fstat 213fstatfs 214 215## 216## Allow further file descriptor-based I/O operations, subject to capability 217## rights. 218## 219fsync 220ftruncate 221 222## 223## Allow futimens(2) and futimes(2), subject to capability rights. 224## 225futimens 226futimes 227 228## 229## Allow querying process audit state, subject to normal access control. 230## 231getaudit 232getaudit_addr 233getauid 234 235## 236## Allow thread context management with getcontext(2). 237## 238getcontext 239 240## 241## Allow directory I/O on a file descriptor, subject to capability rights. 242## Originally we had separate capabilities for directory-specific read 243## operations, but on BSD we allow reading the raw directory data, so we just 244## rely on CAP_READ now. 245## 246getdents 247getdirentries 248 249## 250## Allow querying certain trivial global state. 251## 252getdomainname 253getdtablesize 254 255## 256## Allow querying current process credential state. 257## 258getegid 259geteuid 260 261## 262## Allow querying certain trivial global state. 263## 264gethostid 265gethostname 266 267## 268## Allow querying per-process timer. 269## 270getitimer 271 272## 273## Allow querying current process credential state. 274## 275getgid 276getgroups 277getlogin 278 279## 280## Allow querying certain trivial global state. 281## 282getpagesize 283getpeername 284 285## 286## Allow querying certain per-process scheduling, resource limit, and 287## credential state. 288## 289## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 290## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 291## getsid(2) needs scoping. 292## 293getpgid 294getpgrp 295getpid 296getppid 297getpriority 298getresgid 299getresuid 300getrlimit 301getrusage 302getsid 303 304## 305## Allow querying socket state, subject to capability rights. 306## 307## XXXRW: getsockopt(2) may need more attention. 308## 309getsockname 310getsockopt 311 312## 313## Allow querying the global clock. 314## 315gettimeofday 316 317## 318## Allow querying current process credential state. 319## 320getuid 321 322## 323## Allow ioctl(2), which hopefully will be limited by applications only to 324## required commands with cap_ioctls_limit(2) syscall. 325## 326ioctl 327 328## 329## Allow querying current process credential state. 330## 331issetugid 332 333## 334## Allow kevent(2), as we will authorize based on capability rights on the 335## target descriptor. 336## 337kevent 338 339## 340## Allow kill(2), as we allow the process to send signals only to himself. 341## 342kill 343 344## 345## Allow message queue operations on file descriptors, subject to capability 346## rights. 347## 348kmq_notify 349kmq_setattr 350kmq_timedreceive 351kmq_timedsend 352 353## 354## Allow kqueue(2), we will control use. 355## 356kqueue 357 358## 359## Allow managing per-process timers. 360## 361ktimer_create 362ktimer_delete 363ktimer_getoverrun 364ktimer_gettime 365ktimer_settime 366 367## 368## We can't allow ktrace(2) because it relies on a global namespace, but we 369## might want to introduce an fktrace(2) of some sort. 370## 371#ktrace 372 373## 374## Allow AIO operations by file descriptor, subject to capability rights. 375## 376lio_listio 377 378## 379## Allow listen(2), subject to capability rights. 380## 381## XXXRW: One might argue this manipulates a global namespace. 382## 383listen 384 385## 386## Allow I/O-related file descriptors, subject to capability rights. 387## 388lseek 389 390## 391## Allow simple VM operations on the current process. 392## 393madvise 394mincore 395minherit 396mlock 397mlockall 398 399## 400## Allow memory mapping a file descriptor, and updating protections, subject 401## to capability rights. 402## 403mmap 404mprotect 405 406## 407## Allow simple VM operations on the current process. 408## 409msync 410munlock 411munlockall 412munmap 413 414## 415## Allow the current process to sleep. 416## 417nanosleep 418 419## 420## Allow querying the global clock. 421## 422ntp_gettime 423 424## 425## Allow AIO operations by file descriptor, subject to capability rights. 426## 427oaio_read 428oaio_write 429 430## 431## Allow simple VM operations on the current process. 432## 433obreak 434 435## 436## Allow AIO operations by file descriptor, subject to capability rights. 437## 438olio_listio 439 440## 441## Operations relative to directory capabilities. 442## 443chflagsat 444faccessat 445fchmodat 446fchownat 447fstatat 448futimesat 449linkat 450mkdirat 451mkfifoat 452mknodat 453openat 454readlinkat 455renameat 456symlinkat 457unlinkat 458utimensat 459 460## 461## Allow entry into open(2). This system call will fail, since access to the 462## global file namespace has been disallowed, but allowing entry into the 463## syscall means that an audit trail will be generated (which is also very 464## useful for debugging). 465## 466open 467 468## 469## Allow poll(2), which will be scoped by capability rights. 470## 471## XXXRW: Perhaps we don't need the OpenBSD version? 472## XXXRW: We don't yet do that scoping. 473## 474openbsd_poll 475 476## 477## Process descriptor-related system calls are allowed. 478## 479pdfork 480pdgetpid 481pdkill 482#pdwait4 # not yet implemented 483 484## 485## Allow pipe(2). 486## 487pipe 488pipe2 489 490## 491## Allow poll(2), which will be scoped by capability rights. 492## XXXRW: We don't yet do that scoping. 493## 494poll 495 496## 497## Allow I/O-related file descriptors, subject to capability rights. 498## 499pread 500preadv 501 502## 503## Allow access to profiling state on the current process. 504## 505profil 506 507## 508## Disallow ptrace(2) for now, but we do need debugging facilities in 509## capability mode, so we will want to revisit this, possibly by scoping its 510## operation. 511## 512#ptrace 513 514## 515## Allow I/O-related file descriptors, subject to capability rights. 516## 517pwrite 518pwritev 519read 520readv 521recv 522recvfrom 523recvmsg 524 525## 526## Allow real-time scheduling primitives to be used. 527## 528## XXXRW: These require scoping. 529## 530rtprio 531rtprio_thread 532 533## 534## Allow simple VM operations on the current process. 535## 536sbrk 537 538## 539## Allow querying trivial global scheduler state. 540## 541sched_get_priority_max 542sched_get_priority_min 543 544## 545## Allow various thread/process scheduler operations. 546## 547## XXXRW: Some of these require further scoping. 548## 549sched_getparam 550sched_getscheduler 551sched_rr_get_interval 552sched_setparam 553sched_setscheduler 554sched_yield 555 556## 557## Allow I/O-related file descriptors, subject to capability rights. 558## 559sctp_generic_recvmsg 560sctp_generic_sendmsg 561sctp_generic_sendmsg_iov 562sctp_peeloff 563 564## 565## Allow pselect(2) and select(2), which will be scoped by capability rights. 566## 567## XXXRW: But is it? 568## 569pselect 570select 571 572## 573## Allow I/O-related file descriptors, subject to capability rights. Use of 574## explicit addresses here is restricted by the system calls themselves. 575## 576send 577sendfile 578sendmsg 579sendto 580 581## 582## Allow setting per-process audit state, which is controlled separately by 583## privileges. 584## 585setaudit 586setaudit_addr 587setauid 588 589## 590## Allow setting thread context. 591## 592setcontext 593 594## 595## Allow setting current process credential state, which is controlled 596## separately by privilege. 597## 598setegid 599seteuid 600setgid 601 602## 603## Allow use of the process interval timer. 604## 605setitimer 606 607## 608## Allow setpriority(2). 609## 610## XXXRW: Requires scoping. 611## 612setpriority 613 614## 615## Allow setting current process credential state, which is controlled 616## separately by privilege. 617## 618setregid 619setresgid 620setresuid 621setreuid 622 623## 624## Allow setting process resource limits with setrlimit(2). 625## 626setrlimit 627 628## 629## Allow creating a new session with setsid(2). 630## 631setsid 632 633## 634## Allow setting socket options with setsockopt(2), subject to capability 635## rights. 636## 637## XXXRW: Might require scoping. 638## 639setsockopt 640 641## 642## Allow setting current process credential state, which is controlled 643## separately by privilege. 644## 645setuid 646 647## 648## shm_open(2) is scoped so as to allow only access to new anonymous objects. 649## 650shm_open 651 652## 653## Allow I/O-related file descriptors, subject to capability rights. 654## 655shutdown 656 657## 658## Allow signal control on current process. 659## 660sigaction 661sigaltstack 662sigblock 663sigpending 664sigprocmask 665sigqueue 666sigreturn 667sigsetmask 668sigstack 669sigsuspend 670sigtimedwait 671sigvec 672sigwaitinfo 673sigwait 674 675## 676## Allow creating new socket pairs with socket(2) and socketpair(2). 677## 678socket 679socketpair 680 681## 682## Allow simple VM operations on the current process. 683## 684## XXXRW: Kernel doesn't implement this, so drop? 685## 686sstk 687 688## 689## Do allow sync(2) for now, but possibly shouldn't. 690## 691sync 692 693## 694## Always allow process termination with sys_exit(2). 695## 696sys_exit 697 698## 699## sysarch(2) does rather diverse things, but is required on at least i386 700## in order to configure per-thread data. As such, it's scoped on each 701## architecture. 702## 703sysarch 704 705## 706## Allow thread operations operating only on current process. 707## 708thr_create 709thr_exit 710thr_kill 711 712## 713## Disallow thr_kill2(2), as it may operate beyond the current process. 714## 715## XXXRW: Requires scoping. 716## 717#thr_kill2 718 719## 720## Allow thread operations operating only on current process. 721## 722thr_new 723thr_self 724thr_set_name 725thr_suspend 726thr_wake 727 728## 729## Allow manipulation of the current process umask with umask(2). 730## 731umask 732 733## 734## Allow submitting of process trace entries with utrace(2). 735## 736utrace 737 738## 739## Allow generating UUIDs with uuidgen(2). 740## 741uuidgen 742 743## 744## Allow I/O-related file descriptors, subject to capability rights. 745## 746write 747writev 748 749## 750## Allow processes to yield(2). 751## 752yield 753