The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 ##
    2 ## Copyright (c) 2008-2010 Robert N. M. Watson
    3 ## All rights reserved.
    4 ##
    5 ## This software was developed at the University of Cambridge Computer
    6 ## Laboratory with support from a grant from Google, Inc.
    7 ##
    8 ## Redistribution and use in source and binary forms, with or without
    9 ## modification, are permitted provided that the following conditions
   10 ## are met:
   11 ## 1. Redistributions of source code must retain the above copyright
   12 ##    notice, this list of conditions and the following disclaimer.
   13 ## 2. Redistributions in binary form must reproduce the above copyright
   14 ##    notice, this list of conditions and the following disclaimer in the
   15 ##    documentation and/or other materials provided with the distribution.
   16 ##
   17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20 ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27 ## SUCH DAMAGE.
   28 ##
   29 ## List of system calls enabled in capability mode, one name per line.
   30 ##
   31 ## Notes:
   32 ## - sys_exit(2), abort2(2) and close(2) are very important.
   33 ## - Sorted alphabetically, please keep it that way.
   34 ##
   35 ## $FreeBSD: releng/10.4/sys/kern/capabilities.conf 305518 2016-09-07 04:06:25Z emaste $
   36 ##
   37 
   38 ##
   39 ## Allow ACL and MAC label operations by file descriptor, subject to
   40 ## capability rights.  Allow MAC label operations on the current process but
   41 ## we will need to scope __mac_get_pid(2).
   42 ##
   43 __acl_aclcheck_fd
   44 __acl_delete_fd
   45 __acl_get_fd
   46 __acl_set_fd
   47 __mac_get_fd
   48 #__mac_get_pid
   49 __mac_get_proc
   50 __mac_set_fd
   51 __mac_set_proc
   52 
   53 ##
   54 ## Allow sysctl(2) as we scope internal to the call; this is a global
   55 ## namespace, but there are several critical sysctls required for almost
   56 ## anything to run, such as hw.pagesize.  For now that policy lives in the
   57 ## kernel for performance and simplicity, but perhaps it could move to a
   58 ## proxying daemon in userspace.
   59 ##
   60 __sysctl
   61 
   62 ##
   63 ## Allow umtx operations as these are scoped by address space.
   64 ##
   65 ## XXRW: Need to check this very carefully.
   66 ##
   67 _umtx_lock
   68 _umtx_op
   69 _umtx_unlock
   70 
   71 ##
   72 ## Allow process termination using abort2(2).
   73 ##
   74 abort2
   75 
   76 ##
   77 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
   78 ## relies on existing bindings on a socket, subject to capability rights.
   79 ##
   80 accept
   81 accept4
   82 
   83 ##
   84 ## Allow AIO operations by file descriptor, subject to capability rights.
   85 ##
   86 aio_cancel
   87 aio_error
   88 aio_fsync
   89 aio_read
   90 aio_return
   91 aio_suspend
   92 aio_waitcomplete
   93 aio_write
   94 
   95 ##
   96 ## audit(2) is a global operation, submitting to the global trail, but it is
   97 ## controlled by privilege, and it might be useful to be able to submit
   98 ## records from sandboxes.  For now, disallow, but we may want to think about
   99 ## providing some sort of proxy service for this.
  100 ##
  101 #audit
  102 
  103 ##
  104 ## Allow bindat(2).
  105 ##
  106 bindat
  107 
  108 ##
  109 ## Allow capability mode and capability system calls.
  110 ##
  111 cap_enter
  112 cap_fcntls_get
  113 cap_fcntls_limit
  114 cap_getmode
  115 cap_ioctls_get
  116 cap_ioctls_limit
  117 __cap_rights_get
  118 cap_rights_limit
  119 
  120 ##
  121 ## Allow read-only clock operations.
  122 ##
  123 clock_getres
  124 clock_gettime
  125 
  126 ##
  127 ## Always allow file descriptor close(2).
  128 ##
  129 close
  130 closefrom
  131 
  132 ##
  133 ## Allow connectat(2).
  134 ##
  135 connectat
  136 
  137 ##
  138 ## cpuset(2) and related calls require scoping by process, but should
  139 ## eventually be allowed, at least in the current process case.
  140 ##
  141 #cpuset
  142 #cpuset_getaffinity
  143 #cpuset_getid
  144 #cpuset_setaffinity
  145 #cpuset_setid
  146 
  147 ##
  148 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
  149 ##
  150 dup
  151 dup2
  152 
  153 ##
  154 ## Allow extended attribute operations by file descriptor, subject to
  155 ## capability rights.
  156 ##
  157 extattr_delete_fd
  158 extattr_get_fd
  159 extattr_list_fd
  160 extattr_set_fd
  161 
  162 ##
  163 ## Allow changing file flags, mode, and owner by file descriptor, subject to
  164 ## capability rights.
  165 ##
  166 fchflags
  167 fchmod
  168 fchown
  169 
  170 ##
  171 ## For now, allow fcntl(2), subject to capability rights, but this probably
  172 ## needs additional scoping.
  173 ##
  174 fcntl
  175 
  176 ##
  177 ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
  178 ## such as disallowing privilege escalation.
  179 ##
  180 fexecve
  181 
  182 ##
  183 ## Allow flock(2), subject to capability rights.
  184 ##
  185 flock
  186 
  187 ##
  188 ## Allow fork(2), even though it returns pids -- some applications seem to
  189 ## prefer this interface.
  190 ##
  191 fork
  192 
  193 ##
  194 ## Allow fpathconf(2), subject to capability rights.
  195 ##
  196 fpathconf
  197 
  198 ##
  199 ## Allow various file descriptor-based I/O operations, subject to capability
  200 ## rights.
  201 ##
  202 freebsd6_ftruncate
  203 freebsd6_lseek
  204 freebsd6_mmap
  205 freebsd6_pread
  206 freebsd6_pwrite
  207 
  208 ##
  209 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
  210 ## subject to capability rights.
  211 ##
  212 fstat
  213 fstatfs
  214 
  215 ##
  216 ## Allow further file descriptor-based I/O operations, subject to capability
  217 ## rights.
  218 ##
  219 fsync
  220 ftruncate
  221 
  222 ##
  223 ## Allow futimens(2) and futimes(2), subject to capability rights.
  224 ##
  225 futimens
  226 futimes
  227 
  228 ##
  229 ## Allow querying process audit state, subject to normal access control.
  230 ##
  231 getaudit
  232 getaudit_addr
  233 getauid
  234 
  235 ##
  236 ## Allow thread context management with getcontext(2).
  237 ##
  238 getcontext
  239 
  240 ##
  241 ## Allow directory I/O on a file descriptor, subject to capability rights.
  242 ## Originally we had separate capabilities for directory-specific read
  243 ## operations, but on BSD we allow reading the raw directory data, so we just
  244 ## rely on CAP_READ now.
  245 ##
  246 getdents
  247 getdirentries
  248 
  249 ##
  250 ## Allow querying certain trivial global state.
  251 ##
  252 getdomainname
  253 getdtablesize
  254 
  255 ##
  256 ## Allow querying current process credential state.
  257 ##
  258 getegid
  259 geteuid
  260 
  261 ##
  262 ## Allow querying certain trivial global state.
  263 ##
  264 gethostid
  265 gethostname
  266 
  267 ##
  268 ## Allow querying per-process timer.
  269 ##
  270 getitimer
  271 
  272 ##
  273 ## Allow querying current process credential state.
  274 ##
  275 getgid
  276 getgroups
  277 getlogin
  278 
  279 ##
  280 ## Allow querying certain trivial global state.
  281 ##
  282 getpagesize
  283 getpeername
  284 
  285 ##
  286 ## Allow querying certain per-process scheduling, resource limit, and
  287 ## credential state.
  288 ##
  289 ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
  290 ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
  291 ## getsid(2) needs scoping.
  292 ##
  293 getpgid
  294 getpgrp
  295 getpid
  296 getppid
  297 getpriority
  298 getresgid
  299 getresuid
  300 getrlimit
  301 getrusage
  302 getsid
  303 
  304 ##
  305 ## Allow querying socket state, subject to capability rights.
  306 ##
  307 ## XXXRW: getsockopt(2) may need more attention.
  308 ##
  309 getsockname
  310 getsockopt
  311 
  312 ##
  313 ## Allow querying the global clock.
  314 ##
  315 gettimeofday
  316 
  317 ##
  318 ## Allow querying current process credential state.
  319 ##
  320 getuid
  321 
  322 ##
  323 ## Allow ioctl(2), which hopefully will be limited by applications only to
  324 ## required commands with cap_ioctls_limit(2) syscall.
  325 ##
  326 ioctl
  327 
  328 ##
  329 ## Allow querying current process credential state.
  330 ##
  331 issetugid
  332 
  333 ##
  334 ## Allow kevent(2), as we will authorize based on capability rights on the
  335 ## target descriptor.
  336 ##
  337 kevent
  338 
  339 ##
  340 ## Allow kill(2), as we allow the process to send signals only to himself.
  341 ##
  342 kill
  343 
  344 ##
  345 ## Allow message queue operations on file descriptors, subject to capability
  346 ## rights.
  347 ##
  348 kmq_notify
  349 kmq_setattr
  350 kmq_timedreceive
  351 kmq_timedsend
  352 
  353 ##
  354 ## Allow kqueue(2), we will control use.
  355 ##
  356 kqueue
  357 
  358 ##
  359 ## Allow managing per-process timers.
  360 ##
  361 ktimer_create
  362 ktimer_delete
  363 ktimer_getoverrun
  364 ktimer_gettime
  365 ktimer_settime
  366 
  367 ##
  368 ## We can't allow ktrace(2) because it relies on a global namespace, but we
  369 ## might want to introduce an fktrace(2) of some sort.
  370 ##
  371 #ktrace
  372 
  373 ##
  374 ## Allow AIO operations by file descriptor, subject to capability rights.
  375 ##
  376 lio_listio
  377 
  378 ##
  379 ## Allow listen(2), subject to capability rights.
  380 ##
  381 ## XXXRW: One might argue this manipulates a global namespace.
  382 ##
  383 listen
  384 
  385 ##
  386 ## Allow I/O-related file descriptors, subject to capability rights.
  387 ##
  388 lseek
  389 
  390 ##
  391 ## Allow simple VM operations on the current process.
  392 ##
  393 madvise
  394 mincore
  395 minherit
  396 mlock
  397 mlockall
  398 
  399 ##
  400 ## Allow memory mapping a file descriptor, and updating protections, subject
  401 ## to capability rights.
  402 ##
  403 mmap
  404 mprotect
  405 
  406 ##
  407 ## Allow simple VM operations on the current process.
  408 ##
  409 msync
  410 munlock
  411 munlockall
  412 munmap
  413 
  414 ##
  415 ## Allow the current process to sleep.
  416 ##
  417 nanosleep
  418 
  419 ##
  420 ## Allow querying the global clock.
  421 ##
  422 ntp_gettime
  423 
  424 ##
  425 ## Allow AIO operations by file descriptor, subject to capability rights.
  426 ##
  427 oaio_read
  428 oaio_write
  429 
  430 ##
  431 ## Allow simple VM operations on the current process.
  432 ##
  433 obreak
  434 
  435 ##
  436 ## Allow AIO operations by file descriptor, subject to capability rights.
  437 ##
  438 olio_listio
  439 
  440 ##
  441 ## Operations relative to directory capabilities.
  442 ##
  443 chflagsat
  444 faccessat
  445 fchmodat
  446 fchownat
  447 fstatat
  448 futimesat
  449 linkat
  450 mkdirat
  451 mkfifoat
  452 mknodat
  453 openat
  454 readlinkat
  455 renameat
  456 symlinkat
  457 unlinkat
  458 utimensat
  459 
  460 ##
  461 ## Allow entry into open(2). This system call will fail, since access to the
  462 ## global file namespace has been disallowed, but allowing entry into the
  463 ## syscall means that an audit trail will be generated (which is also very
  464 ## useful for debugging).
  465 ##
  466 open
  467 
  468 ##
  469 ## Allow poll(2), which will be scoped by capability rights.
  470 ##
  471 ## XXXRW: Perhaps we don't need the OpenBSD version?
  472 ## XXXRW: We don't yet do that scoping.
  473 ##
  474 openbsd_poll
  475 
  476 ##
  477 ## Process descriptor-related system calls are allowed.
  478 ##
  479 pdfork
  480 pdgetpid
  481 pdkill
  482 #pdwait4        # not yet implemented
  483 
  484 ##
  485 ## Allow pipe(2).
  486 ##
  487 pipe
  488 pipe2
  489 
  490 ##
  491 ## Allow poll(2), which will be scoped by capability rights.
  492 ## XXXRW: We don't yet do that scoping.
  493 ##
  494 poll
  495 
  496 ##
  497 ## Allow I/O-related file descriptors, subject to capability rights.
  498 ##
  499 pread
  500 preadv
  501 
  502 ##
  503 ## Allow access to profiling state on the current process.
  504 ##
  505 profil
  506 
  507 ##
  508 ## Disallow ptrace(2) for now, but we do need debugging facilities in
  509 ## capability mode, so we will want to revisit this, possibly by scoping its
  510 ## operation.
  511 ##
  512 #ptrace
  513 
  514 ##
  515 ## Allow I/O-related file descriptors, subject to capability rights.
  516 ##
  517 pwrite
  518 pwritev
  519 read
  520 readv
  521 recv
  522 recvfrom
  523 recvmsg
  524 
  525 ##
  526 ## Allow real-time scheduling primitives to be used.
  527 ##
  528 ## XXXRW: These require scoping.
  529 ##
  530 rtprio
  531 rtprio_thread
  532 
  533 ##
  534 ## Allow simple VM operations on the current process.
  535 ##
  536 sbrk
  537 
  538 ##
  539 ## Allow querying trivial global scheduler state.
  540 ##
  541 sched_get_priority_max
  542 sched_get_priority_min
  543 
  544 ##
  545 ## Allow various thread/process scheduler operations.
  546 ##
  547 ## XXXRW: Some of these require further scoping.
  548 ##
  549 sched_getparam
  550 sched_getscheduler
  551 sched_rr_get_interval
  552 sched_setparam
  553 sched_setscheduler
  554 sched_yield
  555 
  556 ##
  557 ## Allow I/O-related file descriptors, subject to capability rights.
  558 ##
  559 sctp_generic_recvmsg
  560 sctp_generic_sendmsg
  561 sctp_generic_sendmsg_iov
  562 sctp_peeloff
  563 
  564 ##
  565 ## Allow pselect(2) and select(2), which will be scoped by capability rights.
  566 ##
  567 ## XXXRW: But is it?
  568 ##
  569 pselect
  570 select
  571 
  572 ##
  573 ## Allow I/O-related file descriptors, subject to capability rights.  Use of
  574 ## explicit addresses here is restricted by the system calls themselves.
  575 ##
  576 send
  577 sendfile
  578 sendmsg
  579 sendto
  580 
  581 ##
  582 ## Allow setting per-process audit state, which is controlled separately by
  583 ## privileges.
  584 ##
  585 setaudit
  586 setaudit_addr
  587 setauid
  588 
  589 ##
  590 ## Allow setting thread context.
  591 ##
  592 setcontext
  593 
  594 ##
  595 ## Allow setting current process credential state, which is controlled
  596 ## separately by privilege.
  597 ##
  598 setegid
  599 seteuid
  600 setgid
  601 
  602 ##
  603 ## Allow use of the process interval timer.
  604 ##
  605 setitimer
  606 
  607 ##
  608 ## Allow setpriority(2).
  609 ##
  610 ## XXXRW: Requires scoping.
  611 ##
  612 setpriority
  613 
  614 ##
  615 ## Allow setting current process credential state, which is controlled
  616 ## separately by privilege.
  617 ##
  618 setregid
  619 setresgid
  620 setresuid
  621 setreuid
  622 
  623 ##
  624 ## Allow setting process resource limits with setrlimit(2).
  625 ##
  626 setrlimit
  627 
  628 ##
  629 ## Allow creating a new session with setsid(2).
  630 ##
  631 setsid
  632 
  633 ##
  634 ## Allow setting socket options with setsockopt(2), subject to capability
  635 ## rights.
  636 ##
  637 ## XXXRW: Might require scoping.
  638 ##
  639 setsockopt
  640 
  641 ##
  642 ## Allow setting current process credential state, which is controlled
  643 ## separately by privilege.
  644 ##
  645 setuid
  646 
  647 ##
  648 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
  649 ##
  650 shm_open
  651 
  652 ##
  653 ## Allow I/O-related file descriptors, subject to capability rights.
  654 ##
  655 shutdown
  656 
  657 ##
  658 ## Allow signal control on current process.
  659 ##
  660 sigaction
  661 sigaltstack
  662 sigblock
  663 sigpending
  664 sigprocmask
  665 sigqueue
  666 sigreturn
  667 sigsetmask
  668 sigstack
  669 sigsuspend
  670 sigtimedwait
  671 sigvec
  672 sigwaitinfo
  673 sigwait
  674 
  675 ##
  676 ## Allow creating new socket pairs with socket(2) and socketpair(2).
  677 ##
  678 socket
  679 socketpair
  680 
  681 ##
  682 ## Allow simple VM operations on the current process.
  683 ##
  684 ## XXXRW: Kernel doesn't implement this, so drop?
  685 ##
  686 sstk
  687 
  688 ##
  689 ## Do allow sync(2) for now, but possibly shouldn't.
  690 ##
  691 sync
  692 
  693 ##
  694 ## Always allow process termination with sys_exit(2).
  695 ##
  696 sys_exit
  697 
  698 ##
  699 ## sysarch(2) does rather diverse things, but is required on at least i386
  700 ## in order to configure per-thread data.  As such, it's scoped on each
  701 ## architecture.
  702 ##
  703 sysarch
  704 
  705 ##
  706 ## Allow thread operations operating only on current process.
  707 ##
  708 thr_create
  709 thr_exit
  710 thr_kill
  711 
  712 ##
  713 ## Disallow thr_kill2(2), as it may operate beyond the current process.
  714 ##
  715 ## XXXRW: Requires scoping.
  716 ##
  717 #thr_kill2
  718 
  719 ##
  720 ## Allow thread operations operating only on current process.
  721 ##
  722 thr_new
  723 thr_self
  724 thr_set_name
  725 thr_suspend
  726 thr_wake
  727 
  728 ##
  729 ## Allow manipulation of the current process umask with umask(2).
  730 ##
  731 umask
  732 
  733 ##
  734 ## Allow submitting of process trace entries with utrace(2).
  735 ##
  736 utrace
  737 
  738 ##
  739 ## Allow generating UUIDs with uuidgen(2).
  740 ##
  741 uuidgen
  742 
  743 ##
  744 ## Allow I/O-related file descriptors, subject to capability rights.
  745 ##
  746 write
  747 writev
  748 
  749 ##
  750 ## Allow processes to yield(2).
  751 ##
  752 yield

Cache object: ab16397b340d85453daa2450de38c6d0


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.