FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

     ##
     ## Copyright (c) 2008-2010 Robert N. M. Watson
     ## All rights reserved.
     ##
     ## This software was developed at the University of Cambridge Computer
     ## Laboratory with support from a grant from Google, Inc.
     ##
     ## Redistribution and use in source and binary forms, with or without
     ## modification, are permitted provided that the following conditions
    ## are met:
    ## 1. Redistributions of source code must retain the above copyright
    ##    notice, this list of conditions and the following disclaimer.
    ## 2. Redistributions in binary form must reproduce the above copyright
    ##    notice, this list of conditions and the following disclaimer in the
    ##    documentation and/or other materials provided with the distribution.
    ##
    ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    ## SUCH DAMAGE.
    ##
    ## List of system calls enabled in capability mode, one name per line.
    ##
    ## Notes:
    ## - sys_exit(2), abort2(2) and close(2) are very important.
    ## - Sorted alphabetically, please keep it that way.
    ##
    ## $FreeBSD: releng/10.3/sys/kern/capabilities.conf 293474 2016-01-09 14:20:23Z dchagin $
    ##
    
    ##
    ## Allow ACL and MAC label operations by file descriptor, subject to
    ## capability rights.  Allow MAC label operations on the current process but
    ## we will need to scope __mac_get_pid(2).
    ##
    __acl_aclcheck_fd
    __acl_delete_fd
    __acl_get_fd
    __acl_set_fd
    __mac_get_fd
    #__mac_get_pid
    __mac_get_proc
    __mac_set_fd
    __mac_set_proc
    
    ##
    ## Allow sysctl(2) as we scope internal to the call; this is a global
    ## namespace, but there are several critical sysctls required for almost
    ## anything to run, such as hw.pagesize.  For now that policy lives in the
    ## kernel for performance and simplicity, but perhaps it could move to a
    ## proxying daemon in userspace.
    ##
    __sysctl
    
    ##
    ## Allow umtx operations as these are scoped by address space.
    ##
    ## XXRW: Need to check this very carefully.
    ##
    _umtx_lock
    _umtx_op
    _umtx_unlock
    
    ##
    ## Allow process termination using abort2(2).
    ##
    abort2
    
    ##
    ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
    ## relies on existing bindings on a socket, subject to capability rights.
    ##
    accept
    accept4
    
    ##
    ## Allow AIO operations by file descriptor, subject to capability rights.
    ##
    aio_cancel
    aio_error
    aio_fsync
    aio_read
    aio_return
    aio_suspend
    aio_waitcomplete
    aio_write
    
    ##
    ## audit(2) is a global operation, submitting to the global trail, but it is
    ## controlled by privilege, and it might be useful to be able to submit
    ## records from sandboxes.  For now, disallow, but we may want to think about
    ## providing some sort of proxy service for this.
   ##
   #audit
   
   ##
   ## Allow bindat(2).
   ##
   bindat
   
   ##
   ## Allow capability mode and capability system calls.
   ##
   cap_enter
   cap_fcntls_get
   cap_fcntls_limit
   cap_getmode
   cap_ioctls_get
   cap_ioctls_limit
   __cap_rights_get
   cap_rights_limit
   
   ##
   ## Allow read-only clock operations.
   ##
   clock_getres
   clock_gettime
   
   ##
   ## Always allow file descriptor close(2).
   ##
   close
   closefrom
   
   ##
   ## Allow connectat(2).
   ##
   connectat
   
   ##
   ## cpuset(2) and related calls require scoping by process, but should
   ## eventually be allowed, at least in the current process case.
   ##
   #cpuset
   #cpuset_getaffinity
   #cpuset_getid
   #cpuset_setaffinity
   #cpuset_setid
   
   ##
   ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
   ##
   dup
   dup2
   
   ##
   ## Allow extended attribute operations by file descriptor, subject to
   ## capability rights.
   ##
   extattr_delete_fd
   extattr_get_fd
   extattr_list_fd
   extattr_set_fd
   
   ##
   ## Allow changing file flags, mode, and owner by file descriptor, subject to
   ## capability rights.
   ##
   fchflags
   fchmod
   fchown
   
   ##
   ## For now, allow fcntl(2), subject to capability rights, but this probably
   ## needs additional scoping.
   ##
   fcntl
   
   ##
   ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
   ## such as disallowing privilege escalation.
   ##
   fexecve
   
   ##
   ## Allow flock(2), subject to capability rights.
   ##
   flock
   
   ##
   ## Allow fork(2), even though it returns pids -- some applications seem to
   ## prefer this interface.
   ##
   fork
   
   ##
   ## Allow fpathconf(2), subject to capability rights.
   ##
   fpathconf
   
   ##
   ## Allow various file descriptor-based I/O operations, subject to capability
   ## rights.
   ##
   freebsd6_ftruncate
   freebsd6_lseek
   freebsd6_mmap
   freebsd6_pread
   freebsd6_pwrite
   
   ##
   ## Allow querying file and file system state with fstat(2) and fstatfs(2),
   ## subject to capability rights.
   ##
   fstat
   fstatfs
   
   ##
   ## Allow further file descriptor-based I/O operations, subject to capability
   ## rights.
   ##
   fsync
   ftruncate
   
   ##
   ## Allow futimens(2) and futimes(2), subject to capability rights.
   ##
   futimens
   futimes
   
   ##
   ## Allow querying process audit state, subject to normal access control.
   ##
   getaudit
   getaudit_addr
   getauid
   
   ##
   ## Allow thread context management with getcontext(2).
   ##
   getcontext
   
   ##
   ## Allow directory I/O on a file descriptor, subject to capability rights.
   ## Originally we had separate capabilities for directory-specific read
   ## operations, but on BSD we allow reading the raw directory data, so we just
   ## rely on CAP_READ now.
   ##
   getdents
   getdirentries
   
   ##
   ## Allow querying certain trivial global state.
   ##
   getdomainname
   
   ##
   ## Allow querying current process credential state.
   ##
   getegid
   geteuid
   
   ##
   ## Allow querying certain trivial global state.
   ##
   gethostid
   gethostname
   
   ##
   ## Allow querying per-process timer.
   ##
   getitimer
   
   ##
   ## Allow querying current process credential state.
   ##
   getgid
   getgroups
   getlogin
   
   ##
   ## Allow querying certain trivial global state.
   ##
   getpagesize
   getpeername
   
   ##
   ## Allow querying certain per-process scheduling, resource limit, and
   ## credential state.
   ##
   ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
   ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
   ## getsid(2) needs scoping.
   ##
   getpgid
   getpgrp
   getpid
   getppid
   getpriority
   getresgid
   getresuid
   getrlimit
   getrusage
   getsid
   
   ##
   ## Allow querying socket state, subject to capability rights.
   ##
   ## XXXRW: getsockopt(2) may need more attention.
   ##
   getsockname
   getsockopt
   
   ##
   ## Allow querying the global clock.
   ##
   gettimeofday
   
   ##
   ## Allow querying current process credential state.
   ##
   getuid
   
   ##
   ## Allow ioctl(2), which hopefully will be limited by applications only to
   ## required commands with cap_ioctls_limit(2) syscall.
   ##
   ioctl
   
   ##
   ## Allow querying current process credential state.
   ##
   issetugid
   
   ##
   ## Allow kevent(2), as we will authorize based on capability rights on the
   ## target descriptor.
   ##
   kevent
   
   ##
   ## Allow kill(2), as we allow the process to send signals only to himself.
   ##
   kill
   
   ##
   ## Allow message queue operations on file descriptors, subject to capability
   ## rights.
   ##
   kmq_notify
   kmq_setattr
   kmq_timedreceive
   kmq_timedsend
   
   ##
   ## Allow kqueue(2), we will control use.
   ##
   kqueue
   
   ##
   ## Allow managing per-process timers.
   ##
   ktimer_create
   ktimer_delete
   ktimer_getoverrun
   ktimer_gettime
   ktimer_settime
   
   ##
   ## We can't allow ktrace(2) because it relies on a global namespace, but we
   ## might want to introduce an fktrace(2) of some sort.
   ##
   #ktrace
   
   ##
   ## Allow AIO operations by file descriptor, subject to capability rights.
   ##
   lio_listio
   
   ##
   ## Allow listen(2), subject to capability rights.
   ##
   ## XXXRW: One might argue this manipulates a global namespace.
   ##
   listen
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   lseek
   
   ##
   ## Allow simple VM operations on the current process.
   ##
   madvise
   mincore
   minherit
   mlock
   mlockall
   
   ##
   ## Allow memory mapping a file descriptor, and updating protections, subject
   ## to capability rights.
   ##
   mmap
   mprotect
   
   ##
   ## Allow simple VM operations on the current process.
   ##
   msync
   munlock
   munlockall
   munmap
   
   ##
   ## Allow the current process to sleep.
   ##
   nanosleep
   
   ##
   ## Allow querying the global clock.
   ##
   ntp_gettime
   
   ##
   ## Allow AIO operations by file descriptor, subject to capability rights.
   ##
   oaio_read
   oaio_write
   
   ##
   ## Allow simple VM operations on the current process.
   ##
   obreak
   
   ##
   ## Allow AIO operations by file descriptor, subject to capability rights.
   ##
   olio_listio
   
   ##
   ## Operations relative to directory capabilities.
   ##
   chflagsat
   faccessat
   fchmodat
   fchownat
   fstatat
   futimesat
   linkat
   mkdirat
   mkfifoat
   mknodat
   openat
   readlinkat
   renameat
   symlinkat
   unlinkat
   utimensat
   
   ##
   ## Allow entry into open(2). This system call will fail, since access to the
   ## global file namespace has been disallowed, but allowing entry into the
   ## syscall means that an audit trail will be generated (which is also very
   ## useful for debugging).
   ##
   open
   
   ##
   ## Allow poll(2), which will be scoped by capability rights.
   ##
   ## XXXRW: Perhaps we don't need the OpenBSD version?
   ## XXXRW: We don't yet do that scoping.
   ##
   openbsd_poll
   
   ##
   ## Process descriptor-related system calls are allowed.
   ##
   pdfork
   pdgetpid
   pdkill
   #pdwait4        # not yet implemented
   
   ##
   ## Allow pipe(2).
   ##
   pipe
   pipe2
   
   ##
   ## Allow poll(2), which will be scoped by capability rights.
   ## XXXRW: We don't yet do that scoping.
   ##
   poll
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   pread
   preadv
   
   ##
   ## Allow access to profiling state on the current process.
   ##
   profil
   
   ##
   ## Disallow ptrace(2) for now, but we do need debugging facilities in
   ## capability mode, so we will want to revisit this, possibly by scoping its
   ## operation.
   ##
   #ptrace
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   pwrite
   pwritev
   read
   readv
   recv
   recvfrom
   recvmsg
   
   ##
   ## Allow real-time scheduling primitives to be used.
   ##
   ## XXXRW: These require scoping.
   ##
   rtprio
   rtprio_thread
   
   ##
   ## Allow simple VM operations on the current process.
   ##
   sbrk
   
   ##
   ## Allow querying trivial global scheduler state.
   ##
   sched_get_priority_max
   sched_get_priority_min
   
   ##
   ## Allow various thread/process scheduler operations.
   ##
   ## XXXRW: Some of these require further scoping.
   ##
   sched_getparam
   sched_getscheduler
   sched_rr_get_interval
   sched_setparam
   sched_setscheduler
   sched_yield
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   sctp_generic_recvmsg
   sctp_generic_sendmsg
   sctp_generic_sendmsg_iov
   sctp_peeloff
   
   ##
   ## Allow pselect(2) and select(2), which will be scoped by capability rights.
   ##
   ## XXXRW: But is it?
   ##
   pselect
   select
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.  Use of
   ## explicit addresses here is restricted by the system calls themselves.
   ##
   send
   sendfile
   sendmsg
   sendto
   
   ##
   ## Allow setting per-process audit state, which is controlled separately by
   ## privileges.
   ##
   setaudit
   setaudit_addr
   setauid
   
   ##
   ## Allow setting thread context.
   ##
   setcontext
   
   ##
   ## Allow setting current process credential state, which is controlled
   ## separately by privilege.
   ##
   setegid
   seteuid
   setgid
   
   ##
   ## Allow use of the process interval timer.
   ##
   setitimer
   
   ##
   ## Allow setpriority(2).
   ##
   ## XXXRW: Requires scoping.
   ##
   setpriority
   
   ##
   ## Allow setting current process credential state, which is controlled
   ## separately by privilege.
   ##
   setregid
   setresgid
   setresuid
   setreuid
   
   ##
   ## Allow setting process resource limits with setrlimit(2).
   ##
   setrlimit
   
   ##
   ## Allow creating a new session with setsid(2).
   ##
   setsid
   
   ##
   ## Allow setting socket options with setsockopt(2), subject to capability
   ## rights.
   ##
   ## XXXRW: Might require scoping.
   ##
   setsockopt
   
   ##
   ## Allow setting current process credential state, which is controlled
   ## separately by privilege.
   ##
   setuid
   
   ##
   ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
   ##
   shm_open
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   shutdown
   
   ##
   ## Allow signal control on current process.
   ##
   sigaction
   sigaltstack
   sigblock
   sigpending
   sigprocmask
   sigqueue
   sigreturn
   sigsetmask
   sigstack
   sigsuspend
   sigtimedwait
   sigvec
   sigwaitinfo
   sigwait
   
   ##
   ## Allow creating new socket pairs with socket(2) and socketpair(2).
   ##
   socket
   socketpair
   
   ##
   ## Allow simple VM operations on the current process.
   ##
   ## XXXRW: Kernel doesn't implement this, so drop?
   ##
   sstk
   
   ##
   ## Do allow sync(2) for now, but possibly shouldn't.
   ##
   sync
   
   ##
   ## Always allow process termination with sys_exit(2).
   ##
   sys_exit
   
   ##
   ## sysarch(2) does rather diverse things, but is required on at least i386
   ## in order to configure per-thread data.  As such, it's scoped on each
   ## architecture.
   ##
   sysarch
   
   ##
   ## Allow thread operations operating only on current process.
   ##
   thr_create
   thr_exit
   thr_kill
   
   ##
   ## Disallow thr_kill2(2), as it may operate beyond the current process.
   ##
   ## XXXRW: Requires scoping.
   ##
   #thr_kill2
   
   ##
   ## Allow thread operations operating only on current process.
   ##
   thr_new
   thr_self
   thr_set_name
   thr_suspend
   thr_wake
   
   ##
   ## Allow manipulation of the current process umask with umask(2).
   ##
   umask
   
   ##
   ## Allow submitting of process trace entries with utrace(2).
   ##
   utrace
   
   ##
   ## Allow generating UUIDs with uuidgen(2).
   ##
   uuidgen
   
   ##
   ## Allow I/O-related file descriptors, subject to capability rights.
   ##
   write
   writev
   
   ##
   ## Allow processes to yield(2).
   ##
   yield

Cache object: 59427301ffee82f023019334e8f1c22b