1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## System calls listed here operate either fully or partially in the absence
32## of global namespaces or ambient authority.  In capability mode system calls
33## that operate only on global namespaces or require ambient authority have no
34## utility and thus are not permitted.
35##
36## Notes:
37## - sys_exit(2), abort2(2) and close(2) are very important.
38## - Sorted alphabetically, please keep it that way.
39##
40## $FreeBSD$
41##
42
43##
44## Allow ACL and MAC label operations by file descriptor, subject to
45## capability rights.  Allow MAC label operations on the current process but
46## we will need to scope __mac_get_pid(2).
47##
48__acl_aclcheck_fd
49__acl_delete_fd
50__acl_get_fd
51__acl_set_fd
52__mac_get_fd
53#__mac_get_pid
54__mac_get_proc
55__mac_set_fd
56__mac_set_proc
57
58##
59## Allow creating special file descriptors like eventfd(2).
60##
61__specialfd
62
63##
64## Allow sysctl(2) as we scope internal to the call; this is a global
65## namespace, but there are several critical sysctls required for almost
66## anything to run, such as hw.pagesize.  For now that policy lives in the
67## kernel for performance and simplicity, but perhaps it could move to a
68## proxying daemon in userspace.
69##
70__sysctl
71__sysctlbyname
72
73##
74## Allow umtx operations as these are scoped by address space.
75##
76## XXRW: Need to check this very carefully.
77##
78_umtx_op
79
80##
81## Allow process termination using abort2(2).
82##
83abort2
84
85##
86## Allow accept(2) since it doesn't manipulate namespaces directly, rather
87## relies on existing bindings on a socket, subject to capability rights.
88##
89accept
90accept4
91
92##
93## Allow AIO operations by file descriptor, subject to capability rights.
94##
95aio_cancel
96aio_error
97aio_fsync
98aio_read
99aio_return
100aio_suspend
101aio_waitcomplete
102aio_write
103aio_writev
104aio_readv
105
106##
107## audit(2) is a global operation, submitting to the global trail, but it is
108## controlled by privilege, and it might be useful to be able to submit
109## records from sandboxes.  For now, disallow, but we may want to think about
110## providing some sort of proxy service for this.
111##
112#audit
113
114##
115## Allow bindat(2).
116##
117bindat
118
119##
120## Allow capability mode and capability system calls.
121##
122cap_enter
123cap_fcntls_get
124cap_fcntls_limit
125cap_getmode
126cap_ioctls_get
127cap_ioctls_limit
128__cap_rights_get
129cap_rights_limit
130
131##
132## Allow read-only clock operations.
133##
134clock_getres
135clock_gettime
136
137##
138## Always allow file descriptor close(2).
139##
140close
141close_range
142closefrom
143
144##
145## Allow connectat(2).
146##
147connectat
148
149##
150## copy_file_range(2) reads from one descriptor and writes to the other.
151##
152copy_file_range
153
154##
155## cpuset(2) and related calls are limited to caller's own process/thread.
156##
157#cpuset
158cpuset_getaffinity
159cpuset_getdomain
160#cpuset_getid
161cpuset_setaffinity
162cpuset_setdomain
163#cpuset_setid
164
165##
166## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
167##
168dup
169dup2
170
171##
172## Allow extended attribute operations by file descriptor, subject to
173## capability rights.
174##
175extattr_delete_fd
176extattr_get_fd
177extattr_list_fd
178extattr_set_fd
179
180##
181## Allow changing file flags, mode, and owner by file descriptor, subject to
182## capability rights.
183##
184fchflags
185fchmod
186fchown
187
188##
189## For now, allow fcntl(2), subject to capability rights, but this probably
190## needs additional scoping.
191##
192fcntl
193
194##
195## Allow fexecve(2), subject to capability rights.  We perform some scoping,
196## such as disallowing privilege escalation.
197##
198fexecve
199
200##
201## Allow flock(2), subject to capability rights.
202##
203flock
204
205##
206## Allow fork(2), even though it returns pids -- some applications seem to
207## prefer this interface.
208##
209fork
210
211##
212## Allow fpathconf(2), subject to capability rights.
213##
214fpathconf
215
216##
217## Allow various file descriptor-based I/O operations, subject to capability
218## rights.
219##
220freebsd11_fstat
221freebsd11_fstatat
222freebsd11_getdirentries
223freebsd11_fstatfs
224freebsd11_mknodat
225freebsd6_ftruncate
226freebsd6_lseek
227freebsd6_mmap
228freebsd6_pread
229freebsd6_pwrite
230
231##
232## Allow querying file and file system state with fstat(2) and fstatfs(2),
233## subject to capability rights.
234##
235fstat
236fstatfs
237
238##
239## Allow further file descriptor-based I/O operations, subject to capability
240## rights.
241##
242fdatasync
243fsync
244ftruncate
245
246##
247## Allow futimens(2) and futimes(2), subject to capability rights.
248##
249futimens
250futimes
251
252##
253## Allow querying process audit state, subject to normal access control.
254##
255getaudit
256getaudit_addr
257getauid
258
259##
260## Allow thread context management with getcontext(2).
261##
262getcontext
263
264##
265## Allow directory I/O on a file descriptor, subject to capability rights.
266## Originally we had separate capabilities for directory-specific read
267## operations, but on BSD we allow reading the raw directory data, so we just
268## rely on CAP_READ now.
269##
270getdents
271getdirentries
272
273##
274## Allow querying certain trivial global state.
275##
276getdomainname
277
278##
279## Allow querying certain per-process resource limit state.
280##
281getdtablesize
282
283##
284## Allow querying current process credential state.
285##
286getegid
287geteuid
288
289##
290## Allow querying certain trivial global state.
291##
292gethostid
293gethostname
294
295##
296## Allow querying per-process timer.
297##
298getitimer
299
300##
301## Allow querying current process credential state.
302##
303getgid
304getgroups
305getlogin
306getloginclass
307
308##
309## Allow querying certain trivial global state.
310##
311getpagesize
312getpeername
313
314##
315## Allow querying certain per-process scheduling, resource limit, and
316## credential state.
317##
318## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
319## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
320## getsid(2) needs scoping.
321##
322getpgid
323getpgrp
324getpid
325getppid
326getpriority
327getresgid
328getresuid
329getrlimit
330getrusage
331getsid
332
333##
334## Allow getrandom
335##
336getrandom
337
338##
339## Allow querying socket state, subject to capability rights.
340##
341## XXXRW: getsockopt(2) may need more attention.
342##
343getsockname
344getsockopt
345
346##
347## Allow querying the global clock.
348##
349gettimeofday
350
351##
352## Allow querying current process credential state.
353##
354getuid
355
356##
357## Allow ioctl(2), which hopefully will be limited by applications only to
358## required commands with cap_ioctls_limit(2) syscall.
359##
360ioctl
361
362##
363## Allow querying current process credential state.
364##
365issetugid
366
367##
368## Allow kevent(2), as we will authorize based on capability rights on the
369## target descriptor.
370##
371kevent
372
373##
374## Allow kill(2), as we allow the process to send signals only to himself.
375##
376kill
377
378##
379## Allow message queue operations on file descriptors, subject to capability
380## rights.
381## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with
382## SYF_CAPENABLED.
383##
384kmq_notify
385kmq_setattr
386kmq_timedreceive
387kmq_timedsend
388
389##
390## Allow kqueue(2), we will control use.
391##
392kqueue
393
394##
395## Allow managing per-process timers.
396##
397ktimer_create
398ktimer_delete
399ktimer_getoverrun
400ktimer_gettime
401ktimer_settime
402
403##
404## We can't allow ktrace(2) because it relies on a global namespace, but we
405## might want to introduce an fktrace(2) of some sort.
406##
407#ktrace
408
409##
410## Allow AIO operations by file descriptor, subject to capability rights.
411##
412lio_listio
413
414##
415## Allow listen(2), subject to capability rights.
416##
417## XXXRW: One might argue this manipulates a global namespace.
418##
419listen
420
421##
422## Allow I/O-related file descriptors, subject to capability rights.
423##
424lseek
425
426##
427## Allow simple VM operations on the current process.
428##
429madvise
430mincore
431minherit
432mlock
433mlockall
434
435##
436## Allow memory mapping a file descriptor, and updating protections, subject
437## to capability rights.
438##
439mmap
440mprotect
441
442##
443## Allow simple VM operations on the current process.
444##
445msync
446munlock
447munlockall
448munmap
449
450##
451## Allow the current process to sleep.
452##
453nanosleep
454
455##
456## Allow querying the global clock.
457##
458ntp_gettime
459
460##
461## Allow AIO operations by file descriptor, subject to capability rights.
462##
463oaio_read
464oaio_write
465
466##
467## Allow simple VM operations on the current process.
468##
469break
470
471##
472## Allow AIO operations by file descriptor, subject to capability rights.
473##
474olio_listio
475
476##
477## Operations relative to directory capabilities.
478##
479chflagsat
480faccessat
481fchmodat
482fchownat
483fstatat
484futimesat
485linkat
486mkdirat
487mkfifoat
488mknodat
489openat
490readlinkat
491renameat
492symlinkat
493unlinkat
494funlinkat
495utimensat
496
497##
498## Process descriptor-related system calls are allowed.
499##
500pdfork
501pdgetpid
502pdkill
503#pdwait4	# not yet implemented
504
505##
506## Allow pipe(2).
507##
508pipe
509pipe2
510
511##
512## Allow poll(2), which will be scoped by capability rights.
513##
514poll
515ppoll
516
517##
518## Allow I/O-related file descriptors, subject to capability rights.
519##
520posix_fallocate
521pread
522preadv
523
524##
525## Allow access to profiling state on the current process.
526##
527profil
528
529##
530## Disallow ptrace(2) for now, but we do need debugging facilities in
531## capability mode, so we will want to revisit this, possibly by scoping its
532## operation.
533##
534#ptrace
535
536##
537## Allow I/O-related file descriptors, subject to capability rights.
538##
539pwrite
540pwritev
541read
542readv
543recv
544recvfrom
545recvmsg
546
547##
548## Allow real-time scheduling primitives to be used.
549##
550## XXXRW: These require scoping.
551##
552rtprio
553rtprio_thread
554
555##
556## Allow simple VM operations on the current process.
557##
558sbrk
559
560##
561## Allow querying trivial global scheduler state.
562##
563sched_get_priority_max
564sched_get_priority_min
565
566##
567## Allow various thread/process scheduler operations.
568##
569## XXXRW: Some of these require further scoping.
570##
571sched_getparam
572sched_getscheduler
573sched_rr_get_interval
574sched_setparam
575sched_setscheduler
576sched_yield
577
578##
579## Allow I/O-related file descriptors, subject to capability rights.
580## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c
581## with SYF_CAPENABLED.
582##
583sctp_generic_recvmsg
584sctp_generic_sendmsg
585sctp_generic_sendmsg_iov
586sctp_peeloff
587
588##
589## Allow pselect(2) and select(2), which will be scoped by capability rights.
590##
591## XXXRW: But is it?
592##
593pselect
594select
595
596##
597## Allow I/O-related file descriptors, subject to capability rights.  Use of
598## explicit addresses here is restricted by the system calls themselves.
599##
600send
601sendfile
602sendmsg
603sendto
604
605##
606## Allow setting per-process audit state, which is controlled separately by
607## privileges.
608##
609setaudit
610setaudit_addr
611setauid
612
613##
614## Allow setting thread context.
615##
616setcontext
617
618##
619## Allow setting current process credential state, which is controlled
620## separately by privilege.
621##
622setegid
623seteuid
624setgid
625
626##
627## Allow use of the process interval timer.
628##
629setitimer
630
631##
632## Allow setpriority(2).
633##
634## XXXRW: Requires scoping.
635##
636setpriority
637
638##
639## Allow setting current process credential state, which is controlled
640## separately by privilege.
641##
642setregid
643setresgid
644setresuid
645setreuid
646
647##
648## Allow setting process resource limits with setrlimit(2).
649##
650setrlimit
651
652##
653## Allow creating a new session with setsid(2).
654##
655setsid
656
657##
658## Allow setting socket options with setsockopt(2), subject to capability
659## rights.
660##
661## XXXRW: Might require scoping.
662##
663setsockopt
664
665##
666## Allow setting current process credential state, which is controlled
667## separately by privilege.
668##
669setuid
670
671##
672## shm_open(2) is scoped so as to allow only access to new anonymous objects.
673##
674shm_open
675shm_open2
676
677##
678## Allow I/O-related file descriptors, subject to capability rights.
679##
680shutdown
681
682##
683## Allow signal control on current process.
684##
685sigaction
686sigaltstack
687sigblock
688sigfastblock
689sigpending
690sigprocmask
691sigqueue
692sigreturn
693sigsetmask
694sigstack
695sigsuspend
696sigtimedwait
697sigvec
698sigwaitinfo
699sigwait
700
701##
702## Allow creating new socket pairs with socket(2) and socketpair(2).
703##
704socket
705socketpair
706
707##
708## Allow simple VM operations on the current process.
709##
710## XXXRW: Kernel doesn't implement this, so drop?
711##
712sstk
713
714##
715## Do allow sync(2) for now, but possibly shouldn't.
716##
717sync
718
719##
720## Always allow process termination with sys_exit(2).
721##
722sys_exit
723
724##
725## sysarch(2) does rather diverse things, but is required on at least i386
726## in order to configure per-thread data.  As such, it's scoped on each
727## architecture.
728##
729sysarch
730
731##
732## Allow thread operations operating only on current process.
733##
734thr_create
735thr_exit
736thr_kill
737
738##
739## Disallow thr_kill2(2), as it may operate beyond the current process.
740##
741## XXXRW: Requires scoping.
742##
743#thr_kill2
744
745##
746## Allow thread operations operating only on current process.
747##
748thr_new
749thr_self
750thr_set_name
751thr_suspend
752thr_wake
753
754##
755## Allow manipulation of the current process umask with umask(2).
756##
757umask
758
759##
760## Allow submitting of process trace entries with utrace(2).
761##
762utrace
763
764##
765## Allow generating UUIDs with uuidgen(2).
766##
767uuidgen
768
769##
770## Allow I/O-related file descriptors, subject to capability rights.
771##
772write
773writev
774
775##
776## Allow processes to yield(2).
777##
778yield
779