1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## System calls listed here operate either fully or partially in the absence 32## of global namespaces or ambient authority. In capability mode system calls 33## that operate only on global namespaces or require ambient authority have no 34## utility and thus are not permitted. 35## 36## Notes: 37## - sys_exit(2), abort2(2) and close(2) are very important. 38## - Sorted alphabetically, please keep it that way. 39## 40## $FreeBSD$ 41## 42 43## 44## Allow ACL and MAC label operations by file descriptor, subject to 45## capability rights. Allow MAC label operations on the current process but 46## we will need to scope __mac_get_pid(2). 47## 48__acl_aclcheck_fd 49__acl_delete_fd 50__acl_get_fd 51__acl_set_fd 52__mac_get_fd 53#__mac_get_pid 54__mac_get_proc 55__mac_set_fd 56__mac_set_proc 57 58## 59## Allow creating special file descriptors like eventfd(2). 60## 61__specialfd 62 63## 64## Allow sysctl(2) as we scope internal to the call; this is a global 65## namespace, but there are several critical sysctls required for almost 66## anything to run, such as hw.pagesize. For now that policy lives in the 67## kernel for performance and simplicity, but perhaps it could move to a 68## proxying daemon in userspace. 69## 70__sysctl 71__sysctlbyname 72 73## 74## Allow umtx operations as these are scoped by address space. 75## 76## XXRW: Need to check this very carefully. 77## 78_umtx_op 79 80## 81## Allow process termination using abort2(2). 82## 83abort2 84 85## 86## Allow accept(2) since it doesn't manipulate namespaces directly, rather 87## relies on existing bindings on a socket, subject to capability rights. 88## 89accept 90accept4 91 92## 93## Allow AIO operations by file descriptor, subject to capability rights. 94## 95aio_cancel 96aio_error 97aio_fsync 98aio_read 99aio_return 100aio_suspend 101aio_waitcomplete 102aio_write 103aio_writev 104aio_readv 105 106## 107## audit(2) is a global operation, submitting to the global trail, but it is 108## controlled by privilege, and it might be useful to be able to submit 109## records from sandboxes. For now, disallow, but we may want to think about 110## providing some sort of proxy service for this. 111## 112#audit 113 114## 115## Allow bindat(2). 116## 117bindat 118 119## 120## Allow capability mode and capability system calls. 121## 122cap_enter 123cap_fcntls_get 124cap_fcntls_limit 125cap_getmode 126cap_ioctls_get 127cap_ioctls_limit 128__cap_rights_get 129cap_rights_limit 130 131## 132## Allow read-only clock operations. 133## 134clock_getres 135clock_gettime 136 137## 138## Always allow file descriptor close(2). 139## 140close 141close_range 142closefrom 143 144## 145## Allow connectat(2). 146## 147connectat 148 149## 150## copy_file_range(2) reads from one descriptor and writes to the other. 151## 152copy_file_range 153 154## 155## cpuset(2) and related calls are limited to caller's own process/thread. 156## 157#cpuset 158cpuset_getaffinity 159cpuset_getdomain 160#cpuset_getid 161cpuset_setaffinity 162cpuset_setdomain 163#cpuset_setid 164 165## 166## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 167## 168dup 169dup2 170 171## 172## Allow extended attribute operations by file descriptor, subject to 173## capability rights. 174## 175extattr_delete_fd 176extattr_get_fd 177extattr_list_fd 178extattr_set_fd 179 180## 181## Allow changing file flags, mode, and owner by file descriptor, subject to 182## capability rights. 183## 184fchflags 185fchmod 186fchown 187 188## 189## For now, allow fcntl(2), subject to capability rights, but this probably 190## needs additional scoping. 191## 192fcntl 193 194## 195## Allow fexecve(2), subject to capability rights. We perform some scoping, 196## such as disallowing privilege escalation. 197## 198fexecve 199 200## 201## Allow flock(2), subject to capability rights. 202## 203flock 204 205## 206## Allow fork(2), even though it returns pids -- some applications seem to 207## prefer this interface. 208## 209fork 210 211## 212## Allow fpathconf(2), subject to capability rights. 213## 214fpathconf 215 216## 217## Allow various file descriptor-based I/O operations, subject to capability 218## rights. 219## 220freebsd11_fstat 221freebsd11_fstatat 222freebsd11_getdirentries 223freebsd11_fstatfs 224freebsd11_mknodat 225freebsd6_ftruncate 226freebsd6_lseek 227freebsd6_mmap 228freebsd6_pread 229freebsd6_pwrite 230 231## 232## Allow querying file and file system state with fstat(2) and fstatfs(2), 233## subject to capability rights. 234## 235fstat 236fstatfs 237 238## 239## Allow further file descriptor-based I/O operations, subject to capability 240## rights. 241## 242fdatasync 243fsync 244ftruncate 245 246## 247## Allow futimens(2) and futimes(2), subject to capability rights. 248## 249futimens 250futimes 251 252## 253## Allow querying process audit state, subject to normal access control. 254## 255getaudit 256getaudit_addr 257getauid 258 259## 260## Allow thread context management with getcontext(2). 261## 262getcontext 263 264## 265## Allow directory I/O on a file descriptor, subject to capability rights. 266## Originally we had separate capabilities for directory-specific read 267## operations, but on BSD we allow reading the raw directory data, so we just 268## rely on CAP_READ now. 269## 270getdents 271getdirentries 272 273## 274## Allow querying certain trivial global state. 275## 276getdomainname 277 278## 279## Allow querying certain per-process resource limit state. 280## 281getdtablesize 282 283## 284## Allow querying current process credential state. 285## 286getegid 287geteuid 288 289## 290## Allow querying certain trivial global state. 291## 292gethostid 293gethostname 294 295## 296## Allow querying per-process timer. 297## 298getitimer 299 300## 301## Allow querying current process credential state. 302## 303getgid 304getgroups 305getlogin 306getloginclass 307 308## 309## Allow querying certain trivial global state. 310## 311getpagesize 312getpeername 313 314## 315## Allow querying certain per-process scheduling, resource limit, and 316## credential state. 317## 318## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 319## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 320## getsid(2) needs scoping. 321## 322getpgid 323getpgrp 324getpid 325getppid 326getpriority 327getresgid 328getresuid 329getrlimit 330getrusage 331getsid 332 333## 334## Allow getrandom 335## 336getrandom 337 338## 339## Allow querying socket state, subject to capability rights. 340## 341## XXXRW: getsockopt(2) may need more attention. 342## 343getsockname 344getsockopt 345 346## 347## Allow querying the global clock. 348## 349gettimeofday 350 351## 352## Allow querying current process credential state. 353## 354getuid 355 356## 357## Allow ioctl(2), which hopefully will be limited by applications only to 358## required commands with cap_ioctls_limit(2) syscall. 359## 360ioctl 361 362## 363## Allow querying current process credential state. 364## 365issetugid 366 367## 368## Allow kevent(2), as we will authorize based on capability rights on the 369## target descriptor. 370## 371kevent 372 373## 374## Allow kill(2), as we allow the process to send signals only to himself. 375## 376kill 377 378## 379## Allow message queue operations on file descriptors, subject to capability 380## rights. 381## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with 382## SYF_CAPENABLED. 383## 384kmq_notify 385kmq_setattr 386kmq_timedreceive 387kmq_timedsend 388 389## 390## Allow kqueue(2), we will control use. 391## 392kqueue 393 394## 395## Allow managing per-process timers. 396## 397ktimer_create 398ktimer_delete 399ktimer_getoverrun 400ktimer_gettime 401ktimer_settime 402 403## 404## We can't allow ktrace(2) because it relies on a global namespace, but we 405## might want to introduce an fktrace(2) of some sort. 406## 407#ktrace 408 409## 410## Allow AIO operations by file descriptor, subject to capability rights. 411## 412lio_listio 413 414## 415## Allow listen(2), subject to capability rights. 416## 417## XXXRW: One might argue this manipulates a global namespace. 418## 419listen 420 421## 422## Allow I/O-related file descriptors, subject to capability rights. 423## 424lseek 425 426## 427## Allow simple VM operations on the current process. 428## 429madvise 430mincore 431minherit 432mlock 433mlockall 434 435## 436## Allow memory mapping a file descriptor, and updating protections, subject 437## to capability rights. 438## 439mmap 440mprotect 441 442## 443## Allow simple VM operations on the current process. 444## 445msync 446munlock 447munlockall 448munmap 449 450## 451## Allow the current process to sleep. 452## 453nanosleep 454 455## 456## Allow querying the global clock. 457## 458ntp_gettime 459 460## 461## Allow AIO operations by file descriptor, subject to capability rights. 462## 463oaio_read 464oaio_write 465 466## 467## Allow simple VM operations on the current process. 468## 469break 470 471## 472## Allow AIO operations by file descriptor, subject to capability rights. 473## 474olio_listio 475 476## 477## Operations relative to directory capabilities. 478## 479chflagsat 480faccessat 481fchmodat 482fchownat 483fstatat 484futimesat 485linkat 486mkdirat 487mkfifoat 488mknodat 489openat 490readlinkat 491renameat 492symlinkat 493unlinkat 494funlinkat 495utimensat 496 497## 498## Process descriptor-related system calls are allowed. 499## 500pdfork 501pdgetpid 502pdkill 503#pdwait4 # not yet implemented 504 505## 506## Allow pipe(2). 507## 508pipe 509pipe2 510 511## 512## Allow poll(2), which will be scoped by capability rights. 513## 514poll 515ppoll 516 517## 518## Allow I/O-related file descriptors, subject to capability rights. 519## 520posix_fallocate 521pread 522preadv 523 524## 525## Allow access to profiling state on the current process. 526## 527profil 528 529## 530## Disallow ptrace(2) for now, but we do need debugging facilities in 531## capability mode, so we will want to revisit this, possibly by scoping its 532## operation. 533## 534#ptrace 535 536## 537## Allow I/O-related file descriptors, subject to capability rights. 538## 539pwrite 540pwritev 541read 542readv 543recv 544recvfrom 545recvmsg 546 547## 548## Allow real-time scheduling primitives to be used. 549## 550## XXXRW: These require scoping. 551## 552rtprio 553rtprio_thread 554 555## 556## Allow simple VM operations on the current process. 557## 558sbrk 559 560## 561## Allow querying trivial global scheduler state. 562## 563sched_get_priority_max 564sched_get_priority_min 565 566## 567## Allow various thread/process scheduler operations. 568## 569## XXXRW: Some of these require further scoping. 570## 571sched_getparam 572sched_getscheduler 573sched_rr_get_interval 574sched_setparam 575sched_setscheduler 576sched_yield 577 578## 579## Allow I/O-related file descriptors, subject to capability rights. 580## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c 581## with SYF_CAPENABLED. 582## 583sctp_generic_recvmsg 584sctp_generic_sendmsg 585sctp_generic_sendmsg_iov 586sctp_peeloff 587 588## 589## Allow pselect(2) and select(2), which will be scoped by capability rights. 590## 591## XXXRW: But is it? 592## 593pselect 594select 595 596## 597## Allow I/O-related file descriptors, subject to capability rights. Use of 598## explicit addresses here is restricted by the system calls themselves. 599## 600send 601sendfile 602sendmsg 603sendto 604 605## 606## Allow setting per-process audit state, which is controlled separately by 607## privileges. 608## 609setaudit 610setaudit_addr 611setauid 612 613## 614## Allow setting thread context. 615## 616setcontext 617 618## 619## Allow setting current process credential state, which is controlled 620## separately by privilege. 621## 622setegid 623seteuid 624setgid 625 626## 627## Allow use of the process interval timer. 628## 629setitimer 630 631## 632## Allow setpriority(2). 633## 634## XXXRW: Requires scoping. 635## 636setpriority 637 638## 639## Allow setting current process credential state, which is controlled 640## separately by privilege. 641## 642setregid 643setresgid 644setresuid 645setreuid 646 647## 648## Allow setting process resource limits with setrlimit(2). 649## 650setrlimit 651 652## 653## Allow creating a new session with setsid(2). 654## 655setsid 656 657## 658## Allow setting socket options with setsockopt(2), subject to capability 659## rights. 660## 661## XXXRW: Might require scoping. 662## 663setsockopt 664 665## 666## Allow setting current process credential state, which is controlled 667## separately by privilege. 668## 669setuid 670 671## 672## shm_open(2) is scoped so as to allow only access to new anonymous objects. 673## 674shm_open 675shm_open2 676 677## 678## Allow I/O-related file descriptors, subject to capability rights. 679## 680shutdown 681 682## 683## Allow signal control on current process. 684## 685sigaction 686sigaltstack 687sigblock 688sigfastblock 689sigpending 690sigprocmask 691sigqueue 692sigreturn 693sigsetmask 694sigstack 695sigsuspend 696sigtimedwait 697sigvec 698sigwaitinfo 699sigwait 700 701## 702## Allow creating new socket pairs with socket(2) and socketpair(2). 703## 704socket 705socketpair 706 707## 708## Allow simple VM operations on the current process. 709## 710## XXXRW: Kernel doesn't implement this, so drop? 711## 712sstk 713 714## 715## Do allow sync(2) for now, but possibly shouldn't. 716## 717sync 718 719## 720## Always allow process termination with sys_exit(2). 721## 722sys_exit 723 724## 725## sysarch(2) does rather diverse things, but is required on at least i386 726## in order to configure per-thread data. As such, it's scoped on each 727## architecture. 728## 729sysarch 730 731## 732## Allow thread operations operating only on current process. 733## 734thr_create 735thr_exit 736thr_kill 737 738## 739## Disallow thr_kill2(2), as it may operate beyond the current process. 740## 741## XXXRW: Requires scoping. 742## 743#thr_kill2 744 745## 746## Allow thread operations operating only on current process. 747## 748thr_new 749thr_self 750thr_set_name 751thr_suspend 752thr_wake 753 754## 755## Allow manipulation of the current process umask with umask(2). 756## 757umask 758 759## 760## Allow submitting of process trace entries with utrace(2). 761## 762utrace 763 764## 765## Allow generating UUIDs with uuidgen(2). 766## 767uuidgen 768 769## 770## Allow I/O-related file descriptors, subject to capability rights. 771## 772write 773writev 774 775## 776## Allow processes to yield(2). 777## 778yield 779