capabilities.conf revision 293474
1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## Notes: 32## - sys_exit(2), abort2(2) and close(2) are very important. 33## - Sorted alphabetically, please keep it that way. 34## 35## $FreeBSD: stable/10/sys/kern/capabilities.conf 293474 2016-01-09 14:20:23Z dchagin $ 36## 37 38## 39## Allow ACL and MAC label operations by file descriptor, subject to 40## capability rights. Allow MAC label operations on the current process but 41## we will need to scope __mac_get_pid(2). 42## 43__acl_aclcheck_fd 44__acl_delete_fd 45__acl_get_fd 46__acl_set_fd 47__mac_get_fd 48#__mac_get_pid 49__mac_get_proc 50__mac_set_fd 51__mac_set_proc 52 53## 54## Allow sysctl(2) as we scope internal to the call; this is a global 55## namespace, but there are several critical sysctls required for almost 56## anything to run, such as hw.pagesize. For now that policy lives in the 57## kernel for performance and simplicity, but perhaps it could move to a 58## proxying daemon in userspace. 59## 60__sysctl 61 62## 63## Allow umtx operations as these are scoped by address space. 64## 65## XXRW: Need to check this very carefully. 66## 67_umtx_lock 68_umtx_op 69_umtx_unlock 70 71## 72## Allow process termination using abort2(2). 73## 74abort2 75 76## 77## Allow accept(2) since it doesn't manipulate namespaces directly, rather 78## relies on existing bindings on a socket, subject to capability rights. 79## 80accept 81accept4 82 83## 84## Allow AIO operations by file descriptor, subject to capability rights. 85## 86aio_cancel 87aio_error 88aio_fsync 89aio_read 90aio_return 91aio_suspend 92aio_waitcomplete 93aio_write 94 95## 96## audit(2) is a global operation, submitting to the global trail, but it is 97## controlled by privilege, and it might be useful to be able to submit 98## records from sandboxes. For now, disallow, but we may want to think about 99## providing some sort of proxy service for this. 100## 101#audit 102 103## 104## Allow bindat(2). 105## 106bindat 107 108## 109## Allow capability mode and capability system calls. 110## 111cap_enter 112cap_fcntls_get 113cap_fcntls_limit 114cap_getmode 115cap_ioctls_get 116cap_ioctls_limit 117__cap_rights_get 118cap_rights_limit 119 120## 121## Allow read-only clock operations. 122## 123clock_getres 124clock_gettime 125 126## 127## Always allow file descriptor close(2). 128## 129close 130closefrom 131 132## 133## Allow connectat(2). 134## 135connectat 136 137## 138## cpuset(2) and related calls require scoping by process, but should 139## eventually be allowed, at least in the current process case. 140## 141#cpuset 142#cpuset_getaffinity 143#cpuset_getid 144#cpuset_setaffinity 145#cpuset_setid 146 147## 148## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 149## 150dup 151dup2 152 153## 154## Allow extended attribute operations by file descriptor, subject to 155## capability rights. 156## 157extattr_delete_fd 158extattr_get_fd 159extattr_list_fd 160extattr_set_fd 161 162## 163## Allow changing file flags, mode, and owner by file descriptor, subject to 164## capability rights. 165## 166fchflags 167fchmod 168fchown 169 170## 171## For now, allow fcntl(2), subject to capability rights, but this probably 172## needs additional scoping. 173## 174fcntl 175 176## 177## Allow fexecve(2), subject to capability rights. We perform some scoping, 178## such as disallowing privilege escalation. 179## 180fexecve 181 182## 183## Allow flock(2), subject to capability rights. 184## 185flock 186 187## 188## Allow fork(2), even though it returns pids -- some applications seem to 189## prefer this interface. 190## 191fork 192 193## 194## Allow fpathconf(2), subject to capability rights. 195## 196fpathconf 197 198## 199## Allow various file descriptor-based I/O operations, subject to capability 200## rights. 201## 202freebsd6_ftruncate 203freebsd6_lseek 204freebsd6_mmap 205freebsd6_pread 206freebsd6_pwrite 207 208## 209## Allow querying file and file system state with fstat(2) and fstatfs(2), 210## subject to capability rights. 211## 212fstat 213fstatfs 214 215## 216## Allow further file descriptor-based I/O operations, subject to capability 217## rights. 218## 219fsync 220ftruncate 221 222## 223## Allow futimens(2) and futimes(2), subject to capability rights. 224## 225futimens 226futimes 227 228## 229## Allow querying process audit state, subject to normal access control. 230## 231getaudit 232getaudit_addr 233getauid 234 235## 236## Allow thread context management with getcontext(2). 237## 238getcontext 239 240## 241## Allow directory I/O on a file descriptor, subject to capability rights. 242## Originally we had separate capabilities for directory-specific read 243## operations, but on BSD we allow reading the raw directory data, so we just 244## rely on CAP_READ now. 245## 246getdents 247getdirentries 248 249## 250## Allow querying certain trivial global state. 251## 252getdomainname 253 254## 255## Allow querying current process credential state. 256## 257getegid 258geteuid 259 260## 261## Allow querying certain trivial global state. 262## 263gethostid 264gethostname 265 266## 267## Allow querying per-process timer. 268## 269getitimer 270 271## 272## Allow querying current process credential state. 273## 274getgid 275getgroups 276getlogin 277 278## 279## Allow querying certain trivial global state. 280## 281getpagesize 282getpeername 283 284## 285## Allow querying certain per-process scheduling, resource limit, and 286## credential state. 287## 288## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 289## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 290## getsid(2) needs scoping. 291## 292getpgid 293getpgrp 294getpid 295getppid 296getpriority 297getresgid 298getresuid 299getrlimit 300getrusage 301getsid 302 303## 304## Allow querying socket state, subject to capability rights. 305## 306## XXXRW: getsockopt(2) may need more attention. 307## 308getsockname 309getsockopt 310 311## 312## Allow querying the global clock. 313## 314gettimeofday 315 316## 317## Allow querying current process credential state. 318## 319getuid 320 321## 322## Allow ioctl(2), which hopefully will be limited by applications only to 323## required commands with cap_ioctls_limit(2) syscall. 324## 325ioctl 326 327## 328## Allow querying current process credential state. 329## 330issetugid 331 332## 333## Allow kevent(2), as we will authorize based on capability rights on the 334## target descriptor. 335## 336kevent 337 338## 339## Allow kill(2), as we allow the process to send signals only to himself. 340## 341kill 342 343## 344## Allow message queue operations on file descriptors, subject to capability 345## rights. 346## 347kmq_notify 348kmq_setattr 349kmq_timedreceive 350kmq_timedsend 351 352## 353## Allow kqueue(2), we will control use. 354## 355kqueue 356 357## 358## Allow managing per-process timers. 359## 360ktimer_create 361ktimer_delete 362ktimer_getoverrun 363ktimer_gettime 364ktimer_settime 365 366## 367## We can't allow ktrace(2) because it relies on a global namespace, but we 368## might want to introduce an fktrace(2) of some sort. 369## 370#ktrace 371 372## 373## Allow AIO operations by file descriptor, subject to capability rights. 374## 375lio_listio 376 377## 378## Allow listen(2), subject to capability rights. 379## 380## XXXRW: One might argue this manipulates a global namespace. 381## 382listen 383 384## 385## Allow I/O-related file descriptors, subject to capability rights. 386## 387lseek 388 389## 390## Allow simple VM operations on the current process. 391## 392madvise 393mincore 394minherit 395mlock 396mlockall 397 398## 399## Allow memory mapping a file descriptor, and updating protections, subject 400## to capability rights. 401## 402mmap 403mprotect 404 405## 406## Allow simple VM operations on the current process. 407## 408msync 409munlock 410munlockall 411munmap 412 413## 414## Allow the current process to sleep. 415## 416nanosleep 417 418## 419## Allow querying the global clock. 420## 421ntp_gettime 422 423## 424## Allow AIO operations by file descriptor, subject to capability rights. 425## 426oaio_read 427oaio_write 428 429## 430## Allow simple VM operations on the current process. 431## 432obreak 433 434## 435## Allow AIO operations by file descriptor, subject to capability rights. 436## 437olio_listio 438 439## 440## Operations relative to directory capabilities. 441## 442chflagsat 443faccessat 444fchmodat 445fchownat 446fstatat 447futimesat 448linkat 449mkdirat 450mkfifoat 451mknodat 452openat 453readlinkat 454renameat 455symlinkat 456unlinkat 457utimensat 458 459## 460## Allow entry into open(2). This system call will fail, since access to the 461## global file namespace has been disallowed, but allowing entry into the 462## syscall means that an audit trail will be generated (which is also very 463## useful for debugging). 464## 465open 466 467## 468## Allow poll(2), which will be scoped by capability rights. 469## 470## XXXRW: Perhaps we don't need the OpenBSD version? 471## XXXRW: We don't yet do that scoping. 472## 473openbsd_poll 474 475## 476## Process descriptor-related system calls are allowed. 477## 478pdfork 479pdgetpid 480pdkill 481#pdwait4 # not yet implemented 482 483## 484## Allow pipe(2). 485## 486pipe 487pipe2 488 489## 490## Allow poll(2), which will be scoped by capability rights. 491## XXXRW: We don't yet do that scoping. 492## 493poll 494 495## 496## Allow I/O-related file descriptors, subject to capability rights. 497## 498pread 499preadv 500 501## 502## Allow access to profiling state on the current process. 503## 504profil 505 506## 507## Disallow ptrace(2) for now, but we do need debugging facilities in 508## capability mode, so we will want to revisit this, possibly by scoping its 509## operation. 510## 511#ptrace 512 513## 514## Allow I/O-related file descriptors, subject to capability rights. 515## 516pwrite 517pwritev 518read 519readv 520recv 521recvfrom 522recvmsg 523 524## 525## Allow real-time scheduling primitives to be used. 526## 527## XXXRW: These require scoping. 528## 529rtprio 530rtprio_thread 531 532## 533## Allow simple VM operations on the current process. 534## 535sbrk 536 537## 538## Allow querying trivial global scheduler state. 539## 540sched_get_priority_max 541sched_get_priority_min 542 543## 544## Allow various thread/process scheduler operations. 545## 546## XXXRW: Some of these require further scoping. 547## 548sched_getparam 549sched_getscheduler 550sched_rr_get_interval 551sched_setparam 552sched_setscheduler 553sched_yield 554 555## 556## Allow I/O-related file descriptors, subject to capability rights. 557## 558sctp_generic_recvmsg 559sctp_generic_sendmsg 560sctp_generic_sendmsg_iov 561sctp_peeloff 562 563## 564## Allow pselect(2) and select(2), which will be scoped by capability rights. 565## 566## XXXRW: But is it? 567## 568pselect 569select 570 571## 572## Allow I/O-related file descriptors, subject to capability rights. Use of 573## explicit addresses here is restricted by the system calls themselves. 574## 575send 576sendfile 577sendmsg 578sendto 579 580## 581## Allow setting per-process audit state, which is controlled separately by 582## privileges. 583## 584setaudit 585setaudit_addr 586setauid 587 588## 589## Allow setting thread context. 590## 591setcontext 592 593## 594## Allow setting current process credential state, which is controlled 595## separately by privilege. 596## 597setegid 598seteuid 599setgid 600 601## 602## Allow use of the process interval timer. 603## 604setitimer 605 606## 607## Allow setpriority(2). 608## 609## XXXRW: Requires scoping. 610## 611setpriority 612 613## 614## Allow setting current process credential state, which is controlled 615## separately by privilege. 616## 617setregid 618setresgid 619setresuid 620setreuid 621 622## 623## Allow setting process resource limits with setrlimit(2). 624## 625setrlimit 626 627## 628## Allow creating a new session with setsid(2). 629## 630setsid 631 632## 633## Allow setting socket options with setsockopt(2), subject to capability 634## rights. 635## 636## XXXRW: Might require scoping. 637## 638setsockopt 639 640## 641## Allow setting current process credential state, which is controlled 642## separately by privilege. 643## 644setuid 645 646## 647## shm_open(2) is scoped so as to allow only access to new anonymous objects. 648## 649shm_open 650 651## 652## Allow I/O-related file descriptors, subject to capability rights. 653## 654shutdown 655 656## 657## Allow signal control on current process. 658## 659sigaction 660sigaltstack 661sigblock 662sigpending 663sigprocmask 664sigqueue 665sigreturn 666sigsetmask 667sigstack 668sigsuspend 669sigtimedwait 670sigvec 671sigwaitinfo 672sigwait 673 674## 675## Allow creating new socket pairs with socket(2) and socketpair(2). 676## 677socket 678socketpair 679 680## 681## Allow simple VM operations on the current process. 682## 683## XXXRW: Kernel doesn't implement this, so drop? 684## 685sstk 686 687## 688## Do allow sync(2) for now, but possibly shouldn't. 689## 690sync 691 692## 693## Always allow process termination with sys_exit(2). 694## 695sys_exit 696 697## 698## sysarch(2) does rather diverse things, but is required on at least i386 699## in order to configure per-thread data. As such, it's scoped on each 700## architecture. 701## 702sysarch 703 704## 705## Allow thread operations operating only on current process. 706## 707thr_create 708thr_exit 709thr_kill 710 711## 712## Disallow thr_kill2(2), as it may operate beyond the current process. 713## 714## XXXRW: Requires scoping. 715## 716#thr_kill2 717 718## 719## Allow thread operations operating only on current process. 720## 721thr_new 722thr_self 723thr_set_name 724thr_suspend 725thr_wake 726 727## 728## Allow manipulation of the current process umask with umask(2). 729## 730umask 731 732## 733## Allow submitting of process trace entries with utrace(2). 734## 735utrace 736 737## 738## Allow generating UUIDs with uuidgen(2). 739## 740uuidgen 741 742## 743## Allow I/O-related file descriptors, subject to capability rights. 744## 745write 746writev 747 748## 749## Allow processes to yield(2). 750## 751yield 752