capabilities.conf revision 293474 
1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## Notes:
32## - sys_exit(2), abort2(2) and close(2) are very important.
33## - Sorted alphabetically, please keep it that way.
34##
35## $FreeBSD: stable/10/sys/kern/capabilities.conf 293474 2016-01-09 14:20:23Z dchagin $
36##
37
38##
39## Allow ACL and MAC label operations by file descriptor, subject to
40## capability rights.  Allow MAC label operations on the current process but
41## we will need to scope __mac_get_pid(2).
42##
43__acl_aclcheck_fd
44__acl_delete_fd
45__acl_get_fd
46__acl_set_fd
47__mac_get_fd
48#__mac_get_pid
49__mac_get_proc
50__mac_set_fd
51__mac_set_proc
52
53##
54## Allow sysctl(2) as we scope internal to the call; this is a global
55## namespace, but there are several critical sysctls required for almost
56## anything to run, such as hw.pagesize.  For now that policy lives in the
57## kernel for performance and simplicity, but perhaps it could move to a
58## proxying daemon in userspace.
59##
60__sysctl
61
62##
63## Allow umtx operations as these are scoped by address space.
64##
65## XXRW: Need to check this very carefully.
66##
67_umtx_lock
68_umtx_op
69_umtx_unlock
70
71##
72## Allow process termination using abort2(2).
73##
74abort2
75
76##
77## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78## relies on existing bindings on a socket, subject to capability rights.
79##
80accept
81accept4
82
83##
84## Allow AIO operations by file descriptor, subject to capability rights.
85##
86aio_cancel
87aio_error
88aio_fsync
89aio_read
90aio_return
91aio_suspend
92aio_waitcomplete
93aio_write
94
95##
96## audit(2) is a global operation, submitting to the global trail, but it is
97## controlled by privilege, and it might be useful to be able to submit
98## records from sandboxes.  For now, disallow, but we may want to think about
99## providing some sort of proxy service for this.
100##
101#audit
102
103##
104## Allow bindat(2).
105##
106bindat
107
108##
109## Allow capability mode and capability system calls.
110##
111cap_enter
112cap_fcntls_get
113cap_fcntls_limit
114cap_getmode
115cap_ioctls_get
116cap_ioctls_limit
117__cap_rights_get
118cap_rights_limit
119
120##
121## Allow read-only clock operations.
122##
123clock_getres
124clock_gettime
125
126##
127## Always allow file descriptor close(2).
128##
129close
130closefrom
131
132##
133## Allow connectat(2).
134##
135connectat
136
137##
138## cpuset(2) and related calls require scoping by process, but should
139## eventually be allowed, at least in the current process case.
140##
141#cpuset
142#cpuset_getaffinity
143#cpuset_getid
144#cpuset_setaffinity
145#cpuset_setid
146
147##
148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
149##
150dup
151dup2
152
153##
154## Allow extended attribute operations by file descriptor, subject to
155## capability rights.
156##
157extattr_delete_fd
158extattr_get_fd
159extattr_list_fd
160extattr_set_fd
161
162##
163## Allow changing file flags, mode, and owner by file descriptor, subject to
164## capability rights.
165##
166fchflags
167fchmod
168fchown
169
170##
171## For now, allow fcntl(2), subject to capability rights, but this probably
172## needs additional scoping.
173##
174fcntl
175
176##
177## Allow fexecve(2), subject to capability rights.  We perform some scoping,
178## such as disallowing privilege escalation.
179##
180fexecve
181
182##
183## Allow flock(2), subject to capability rights.
184##
185flock
186
187##
188## Allow fork(2), even though it returns pids -- some applications seem to
189## prefer this interface.
190##
191fork
192
193##
194## Allow fpathconf(2), subject to capability rights.
195##
196fpathconf
197
198##
199## Allow various file descriptor-based I/O operations, subject to capability
200## rights.
201##
202freebsd6_ftruncate
203freebsd6_lseek
204freebsd6_mmap
205freebsd6_pread
206freebsd6_pwrite
207
208##
209## Allow querying file and file system state with fstat(2) and fstatfs(2),
210## subject to capability rights.
211##
212fstat
213fstatfs
214
215##
216## Allow further file descriptor-based I/O operations, subject to capability
217## rights.
218##
219fsync
220ftruncate
221
222##
223## Allow futimens(2) and futimes(2), subject to capability rights.
224##
225futimens
226futimes
227
228##
229## Allow querying process audit state, subject to normal access control.
230##
231getaudit
232getaudit_addr
233getauid
234
235##
236## Allow thread context management with getcontext(2).
237##
238getcontext
239
240##
241## Allow directory I/O on a file descriptor, subject to capability rights.
242## Originally we had separate capabilities for directory-specific read
243## operations, but on BSD we allow reading the raw directory data, so we just
244## rely on CAP_READ now.
245##
246getdents
247getdirentries
248
249##
250## Allow querying certain trivial global state.
251##
252getdomainname
253
254##
255## Allow querying current process credential state.
256##
257getegid
258geteuid
259
260##
261## Allow querying certain trivial global state.
262##
263gethostid
264gethostname
265
266##
267## Allow querying per-process timer.
268##
269getitimer
270
271##
272## Allow querying current process credential state.
273##
274getgid
275getgroups
276getlogin
277
278##
279## Allow querying certain trivial global state.
280##
281getpagesize
282getpeername
283
284##
285## Allow querying certain per-process scheduling, resource limit, and
286## credential state.
287##
288## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
289## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
290## getsid(2) needs scoping.
291##
292getpgid
293getpgrp
294getpid
295getppid
296getpriority
297getresgid
298getresuid
299getrlimit
300getrusage
301getsid
302
303##
304## Allow querying socket state, subject to capability rights.
305##
306## XXXRW: getsockopt(2) may need more attention.
307##
308getsockname
309getsockopt
310
311##
312## Allow querying the global clock.
313##
314gettimeofday
315
316##
317## Allow querying current process credential state.
318##
319getuid
320
321##
322## Allow ioctl(2), which hopefully will be limited by applications only to
323## required commands with cap_ioctls_limit(2) syscall.
324##
325ioctl
326
327##
328## Allow querying current process credential state.
329##
330issetugid
331
332##
333## Allow kevent(2), as we will authorize based on capability rights on the
334## target descriptor.
335##
336kevent
337
338##
339## Allow kill(2), as we allow the process to send signals only to himself.
340##
341kill
342
343##
344## Allow message queue operations on file descriptors, subject to capability
345## rights.
346##
347kmq_notify
348kmq_setattr
349kmq_timedreceive
350kmq_timedsend
351
352##
353## Allow kqueue(2), we will control use.
354##
355kqueue
356
357##
358## Allow managing per-process timers.
359##
360ktimer_create
361ktimer_delete
362ktimer_getoverrun
363ktimer_gettime
364ktimer_settime
365
366##
367## We can't allow ktrace(2) because it relies on a global namespace, but we
368## might want to introduce an fktrace(2) of some sort.
369##
370#ktrace
371
372##
373## Allow AIO operations by file descriptor, subject to capability rights.
374##
375lio_listio
376
377##
378## Allow listen(2), subject to capability rights.
379##
380## XXXRW: One might argue this manipulates a global namespace.
381##
382listen
383
384##
385## Allow I/O-related file descriptors, subject to capability rights.
386##
387lseek
388
389##
390## Allow simple VM operations on the current process.
391##
392madvise
393mincore
394minherit
395mlock
396mlockall
397
398##
399## Allow memory mapping a file descriptor, and updating protections, subject
400## to capability rights.
401##
402mmap
403mprotect
404
405##
406## Allow simple VM operations on the current process.
407##
408msync
409munlock
410munlockall
411munmap
412
413##
414## Allow the current process to sleep.
415##
416nanosleep
417
418##
419## Allow querying the global clock.
420##
421ntp_gettime
422
423##
424## Allow AIO operations by file descriptor, subject to capability rights.
425##
426oaio_read
427oaio_write
428
429##
430## Allow simple VM operations on the current process.
431##
432obreak
433
434##
435## Allow AIO operations by file descriptor, subject to capability rights.
436##
437olio_listio
438
439##
440## Operations relative to directory capabilities.
441##
442chflagsat
443faccessat
444fchmodat
445fchownat
446fstatat
447futimesat
448linkat
449mkdirat
450mkfifoat
451mknodat
452openat
453readlinkat
454renameat
455symlinkat
456unlinkat
457utimensat
458
459##
460## Allow entry into open(2). This system call will fail, since access to the
461## global file namespace has been disallowed, but allowing entry into the
462## syscall means that an audit trail will be generated (which is also very
463## useful for debugging).
464##
465open
466
467##
468## Allow poll(2), which will be scoped by capability rights.
469##
470## XXXRW: Perhaps we don't need the OpenBSD version?
471## XXXRW: We don't yet do that scoping.
472##
473openbsd_poll
474
475##
476## Process descriptor-related system calls are allowed.
477##
478pdfork
479pdgetpid
480pdkill
481#pdwait4	# not yet implemented
482
483##
484## Allow pipe(2).
485##
486pipe
487pipe2
488
489##
490## Allow poll(2), which will be scoped by capability rights.
491## XXXRW: We don't yet do that scoping.
492##
493poll
494
495##
496## Allow I/O-related file descriptors, subject to capability rights.
497##
498pread
499preadv
500
501##
502## Allow access to profiling state on the current process.
503##
504profil
505
506##
507## Disallow ptrace(2) for now, but we do need debugging facilities in
508## capability mode, so we will want to revisit this, possibly by scoping its
509## operation.
510##
511#ptrace
512
513##
514## Allow I/O-related file descriptors, subject to capability rights.
515##
516pwrite
517pwritev
518read
519readv
520recv
521recvfrom
522recvmsg
523
524##
525## Allow real-time scheduling primitives to be used.
526##
527## XXXRW: These require scoping.
528##
529rtprio
530rtprio_thread
531
532##
533## Allow simple VM operations on the current process.
534##
535sbrk
536
537##
538## Allow querying trivial global scheduler state.
539##
540sched_get_priority_max
541sched_get_priority_min
542
543##
544## Allow various thread/process scheduler operations.
545##
546## XXXRW: Some of these require further scoping.
547##
548sched_getparam
549sched_getscheduler
550sched_rr_get_interval
551sched_setparam
552sched_setscheduler
553sched_yield
554
555##
556## Allow I/O-related file descriptors, subject to capability rights.
557##
558sctp_generic_recvmsg
559sctp_generic_sendmsg
560sctp_generic_sendmsg_iov
561sctp_peeloff
562
563##
564## Allow pselect(2) and select(2), which will be scoped by capability rights.
565##
566## XXXRW: But is it?
567##
568pselect
569select
570
571##
572## Allow I/O-related file descriptors, subject to capability rights.  Use of
573## explicit addresses here is restricted by the system calls themselves.
574##
575send
576sendfile
577sendmsg
578sendto
579
580##
581## Allow setting per-process audit state, which is controlled separately by
582## privileges.
583##
584setaudit
585setaudit_addr
586setauid
587
588##
589## Allow setting thread context.
590##
591setcontext
592
593##
594## Allow setting current process credential state, which is controlled
595## separately by privilege.
596##
597setegid
598seteuid
599setgid
600
601##
602## Allow use of the process interval timer.
603##
604setitimer
605
606##
607## Allow setpriority(2).
608##
609## XXXRW: Requires scoping.
610##
611setpriority
612
613##
614## Allow setting current process credential state, which is controlled
615## separately by privilege.
616##
617setregid
618setresgid
619setresuid
620setreuid
621
622##
623## Allow setting process resource limits with setrlimit(2).
624##
625setrlimit
626
627##
628## Allow creating a new session with setsid(2).
629##
630setsid
631
632##
633## Allow setting socket options with setsockopt(2), subject to capability
634## rights.
635##
636## XXXRW: Might require scoping.
637##
638setsockopt
639
640##
641## Allow setting current process credential state, which is controlled
642## separately by privilege.
643##
644setuid
645
646##
647## shm_open(2) is scoped so as to allow only access to new anonymous objects.
648##
649shm_open
650
651##
652## Allow I/O-related file descriptors, subject to capability rights.
653##
654shutdown
655
656##
657## Allow signal control on current process.
658##
659sigaction
660sigaltstack
661sigblock
662sigpending
663sigprocmask
664sigqueue
665sigreturn
666sigsetmask
667sigstack
668sigsuspend
669sigtimedwait
670sigvec
671sigwaitinfo
672sigwait
673
674##
675## Allow creating new socket pairs with socket(2) and socketpair(2).
676##
677socket
678socketpair
679
680##
681## Allow simple VM operations on the current process.
682##
683## XXXRW: Kernel doesn't implement this, so drop?
684##
685sstk
686
687##
688## Do allow sync(2) for now, but possibly shouldn't.
689##
690sync
691
692##
693## Always allow process termination with sys_exit(2).
694##
695sys_exit
696
697##
698## sysarch(2) does rather diverse things, but is required on at least i386
699## in order to configure per-thread data.  As such, it's scoped on each
700## architecture.
701##
702sysarch
703
704##
705## Allow thread operations operating only on current process.
706##
707thr_create
708thr_exit
709thr_kill
710
711##
712## Disallow thr_kill2(2), as it may operate beyond the current process.
713##
714## XXXRW: Requires scoping.
715##
716#thr_kill2
717
718##
719## Allow thread operations operating only on current process.
720##
721thr_new
722thr_self
723thr_set_name
724thr_suspend
725thr_wake
726
727##
728## Allow manipulation of the current process umask with umask(2).
729##
730umask
731
732##
733## Allow submitting of process trace entries with utrace(2).
734##
735utrace
736
737##
738## Allow generating UUIDs with uuidgen(2).
739##
740uuidgen
741
742##
743## Allow I/O-related file descriptors, subject to capability rights.
744##
745write
746writev
747
748##
749## Allow processes to yield(2).
750##
751yield
752