1 ##
2 ## Copyright (c) 2008-2010 Robert N. M. Watson
3 ## All rights reserved.
4 ##
5 ## This software was developed at the University of Cambridge Computer
6 ## Laboratory with support from a grant from Google, Inc.
7 ##
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted provided that the following conditions
10 ## are met:
11 ## 1. Redistributions of source code must retain the above copyright
12 ## notice, this list of conditions and the following disclaimer.
13 ## 2. Redistributions in binary form must reproduce the above copyright
14 ## notice, this list of conditions and the following disclaimer in the
15 ## documentation and/or other materials provided with the distribution.
16 ##
17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 ## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 ## SUCH DAMAGE.
28 ##
29 ## List of system calls enabled in capability mode, one name per line.
30 ##
31 ## Notes:
32 ## - sys_exit(2), abort2(2) and close(2) are very important.
33 ## - Sorted alphabetically, please keep it that way.
34 ##
35 ## $FreeBSD: releng/11.1/sys/kern/capabilities.conf 319819 2017-06-11 02:04:39Z allanjude $
36 ##
37
38 ##
39 ## Allow ACL and MAC label operations by file descriptor, subject to
40 ## capability rights. Allow MAC label operations on the current process but
41 ## we will need to scope __mac_get_pid(2).
42 ##
43 __acl_aclcheck_fd
44 __acl_delete_fd
45 __acl_get_fd
46 __acl_set_fd
47 __mac_get_fd
48 #__mac_get_pid
49 __mac_get_proc
50 __mac_set_fd
51 __mac_set_proc
52
53 ##
54 ## Allow sysctl(2) as we scope internal to the call; this is a global
55 ## namespace, but there are several critical sysctls required for almost
56 ## anything to run, such as hw.pagesize. For now that policy lives in the
57 ## kernel for performance and simplicity, but perhaps it could move to a
58 ## proxying daemon in userspace.
59 ##
60 __sysctl
61
62 ##
63 ## Allow umtx operations as these are scoped by address space.
64 ##
65 ## XXRW: Need to check this very carefully.
66 ##
67 _umtx_op
68
69 ##
70 ## Allow process termination using abort2(2).
71 ##
72 abort2
73
74 ##
75 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
76 ## relies on existing bindings on a socket, subject to capability rights.
77 ##
78 accept
79 accept4
80
81 ##
82 ## Allow AIO operations by file descriptor, subject to capability rights.
83 ##
84 aio_cancel
85 aio_error
86 aio_fsync
87 aio_read
88 aio_return
89 aio_suspend
90 aio_waitcomplete
91 aio_write
92
93 ##
94 ## audit(2) is a global operation, submitting to the global trail, but it is
95 ## controlled by privilege, and it might be useful to be able to submit
96 ## records from sandboxes. For now, disallow, but we may want to think about
97 ## providing some sort of proxy service for this.
98 ##
99 #audit
100
101 ##
102 ## Allow bindat(2).
103 ##
104 bindat
105
106 ##
107 ## Allow capability mode and capability system calls.
108 ##
109 cap_enter
110 cap_fcntls_get
111 cap_fcntls_limit
112 cap_getmode
113 cap_ioctls_get
114 cap_ioctls_limit
115 __cap_rights_get
116 cap_rights_limit
117
118 ##
119 ## Allow read-only clock operations.
120 ##
121 clock_getres
122 clock_gettime
123
124 ##
125 ## Always allow file descriptor close(2).
126 ##
127 close
128 closefrom
129
130 ##
131 ## Allow connectat(2).
132 ##
133 connectat
134
135 ##
136 ## cpuset(2) and related calls are limited to caller's own process/thread.
137 ##
138 #cpuset
139 cpuset_getaffinity
140 #cpuset_getid
141 cpuset_setaffinity
142 #cpuset_setid
143
144 ##
145 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
146 ##
147 dup
148 dup2
149
150 ##
151 ## Allow extended attribute operations by file descriptor, subject to
152 ## capability rights.
153 ##
154 extattr_delete_fd
155 extattr_get_fd
156 extattr_list_fd
157 extattr_set_fd
158
159 ##
160 ## Allow changing file flags, mode, and owner by file descriptor, subject to
161 ## capability rights.
162 ##
163 fchflags
164 fchmod
165 fchown
166
167 ##
168 ## For now, allow fcntl(2), subject to capability rights, but this probably
169 ## needs additional scoping.
170 ##
171 fcntl
172
173 ##
174 ## Allow fexecve(2), subject to capability rights. We perform some scoping,
175 ## such as disallowing privilege escalation.
176 ##
177 fexecve
178
179 ##
180 ## Allow flock(2), subject to capability rights.
181 ##
182 flock
183
184 ##
185 ## Allow fork(2), even though it returns pids -- some applications seem to
186 ## prefer this interface.
187 ##
188 fork
189
190 ##
191 ## Allow fpathconf(2), subject to capability rights.
192 ##
193 fpathconf
194
195 ##
196 ## Allow various file descriptor-based I/O operations, subject to capability
197 ## rights.
198 ##
199 freebsd6_ftruncate
200 freebsd6_lseek
201 freebsd6_mmap
202 freebsd6_pread
203 freebsd6_pwrite
204
205 ##
206 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
207 ## subject to capability rights.
208 ##
209 fstat
210 fstatfs
211
212 ##
213 ## Allow further file descriptor-based I/O operations, subject to capability
214 ## rights.
215 ##
216 fsync
217 ftruncate
218
219 ##
220 ## Allow futimens(2) and futimes(2), subject to capability rights.
221 ##
222 futimens
223 futimes
224
225 ##
226 ## Allow querying process audit state, subject to normal access control.
227 ##
228 getaudit
229 getaudit_addr
230 getauid
231
232 ##
233 ## Allow thread context management with getcontext(2).
234 ##
235 getcontext
236
237 ##
238 ## Allow directory I/O on a file descriptor, subject to capability rights.
239 ## Originally we had separate capabilities for directory-specific read
240 ## operations, but on BSD we allow reading the raw directory data, so we just
241 ## rely on CAP_READ now.
242 ##
243 getdents
244 getdirentries
245
246 ##
247 ## Allow querying certain trivial global state.
248 ##
249 getdomainname
250 getdtablesize
251
252 ##
253 ## Allow querying current process credential state.
254 ##
255 getegid
256 geteuid
257
258 ##
259 ## Allow querying certain trivial global state.
260 ##
261 gethostid
262 gethostname
263
264 ##
265 ## Allow querying per-process timer.
266 ##
267 getitimer
268
269 ##
270 ## Allow querying current process credential state.
271 ##
272 getgid
273 getgroups
274 getlogin
275
276 ##
277 ## Allow querying certain trivial global state.
278 ##
279 getpagesize
280 getpeername
281
282 ##
283 ## Allow querying certain per-process scheduling, resource limit, and
284 ## credential state.
285 ##
286 ## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping
287 ## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping.
288 ## getsid(2) needs scoping.
289 ##
290 getpgid
291 getpgrp
292 getpid
293 getppid
294 getpriority
295 getresgid
296 getresuid
297 getrlimit
298 getrusage
299 getsid
300
301 ##
302 ## Allow querying socket state, subject to capability rights.
303 ##
304 ## XXXRW: getsockopt(2) may need more attention.
305 ##
306 getsockname
307 getsockopt
308
309 ##
310 ## Allow querying the global clock.
311 ##
312 gettimeofday
313
314 ##
315 ## Allow querying current process credential state.
316 ##
317 getuid
318
319 ##
320 ## Allow ioctl(2), which hopefully will be limited by applications only to
321 ## required commands with cap_ioctls_limit(2) syscall.
322 ##
323 ioctl
324
325 ##
326 ## Allow querying current process credential state.
327 ##
328 issetugid
329
330 ##
331 ## Allow kevent(2), as we will authorize based on capability rights on the
332 ## target descriptor.
333 ##
334 kevent
335
336 ##
337 ## Allow kill(2), as we allow the process to send signals only to himself.
338 ##
339 kill
340
341 ##
342 ## Allow message queue operations on file descriptors, subject to capability
343 ## rights.
344 ##
345 kmq_notify
346 kmq_setattr
347 kmq_timedreceive
348 kmq_timedsend
349
350 ##
351 ## Allow kqueue(2), we will control use.
352 ##
353 kqueue
354
355 ##
356 ## Allow managing per-process timers.
357 ##
358 ktimer_create
359 ktimer_delete
360 ktimer_getoverrun
361 ktimer_gettime
362 ktimer_settime
363
364 ##
365 ## We can't allow ktrace(2) because it relies on a global namespace, but we
366 ## might want to introduce an fktrace(2) of some sort.
367 ##
368 #ktrace
369
370 ##
371 ## Allow AIO operations by file descriptor, subject to capability rights.
372 ##
373 lio_listio
374
375 ##
376 ## Allow listen(2), subject to capability rights.
377 ##
378 ## XXXRW: One might argue this manipulates a global namespace.
379 ##
380 listen
381
382 ##
383 ## Allow I/O-related file descriptors, subject to capability rights.
384 ##
385 lseek
386
387 ##
388 ## Allow simple VM operations on the current process.
389 ##
390 madvise
391 mincore
392 minherit
393 mlock
394 mlockall
395
396 ##
397 ## Allow memory mapping a file descriptor, and updating protections, subject
398 ## to capability rights.
399 ##
400 mmap
401 mprotect
402
403 ##
404 ## Allow simple VM operations on the current process.
405 ##
406 msync
407 munlock
408 munlockall
409 munmap
410
411 ##
412 ## Allow the current process to sleep.
413 ##
414 nanosleep
415
416 ##
417 ## Allow querying the global clock.
418 ##
419 ntp_gettime
420
421 ##
422 ## Allow AIO operations by file descriptor, subject to capability rights.
423 ##
424 oaio_read
425 oaio_write
426
427 ##
428 ## Allow simple VM operations on the current process.
429 ##
430 obreak
431
432 ##
433 ## Allow AIO operations by file descriptor, subject to capability rights.
434 ##
435 olio_listio
436
437 ##
438 ## Operations relative to directory capabilities.
439 ##
440 chflagsat
441 faccessat
442 fchmodat
443 fchownat
444 fstatat
445 futimesat
446 linkat
447 mkdirat
448 mkfifoat
449 mknodat
450 openat
451 readlinkat
452 renameat
453 symlinkat
454 unlinkat
455 utimensat
456
457 ##
458 ## Allow entry into open(2). This system call will fail, since access to the
459 ## global file namespace has been disallowed, but allowing entry into the
460 ## syscall means that an audit trail will be generated (which is also very
461 ## useful for debugging).
462 ##
463 open
464
465 ##
466 ## Allow poll(2), which will be scoped by capability rights.
467 ##
468 ## XXXRW: Perhaps we don't need the OpenBSD version?
469 ## XXXRW: We don't yet do that scoping.
470 ##
471 openbsd_poll
472
473 ##
474 ## Process descriptor-related system calls are allowed.
475 ##
476 pdfork
477 pdgetpid
478 pdkill
479 #pdwait4 # not yet implemented
480
481 ##
482 ## Allow pipe(2).
483 ##
484 pipe
485 pipe2
486
487 ##
488 ## Allow poll(2), which will be scoped by capability rights.
489 ## XXXRW: We don't yet do that scoping.
490 ##
491 poll
492
493 ##
494 ## Allow I/O-related file descriptors, subject to capability rights.
495 ##
496 pread
497 preadv
498
499 ##
500 ## Allow access to profiling state on the current process.
501 ##
502 profil
503
504 ##
505 ## Disallow ptrace(2) for now, but we do need debugging facilities in
506 ## capability mode, so we will want to revisit this, possibly by scoping its
507 ## operation.
508 ##
509 #ptrace
510
511 ##
512 ## Allow I/O-related file descriptors, subject to capability rights.
513 ##
514 pwrite
515 pwritev
516 read
517 readv
518 recv
519 recvfrom
520 recvmsg
521
522 ##
523 ## Allow real-time scheduling primitives to be used.
524 ##
525 ## XXXRW: These require scoping.
526 ##
527 rtprio
528 rtprio_thread
529
530 ##
531 ## Allow simple VM operations on the current process.
532 ##
533 sbrk
534
535 ##
536 ## Allow querying trivial global scheduler state.
537 ##
538 sched_get_priority_max
539 sched_get_priority_min
540
541 ##
542 ## Allow various thread/process scheduler operations.
543 ##
544 ## XXXRW: Some of these require further scoping.
545 ##
546 sched_getparam
547 sched_getscheduler
548 sched_rr_get_interval
549 sched_setparam
550 sched_setscheduler
551 sched_yield
552
553 ##
554 ## Allow I/O-related file descriptors, subject to capability rights.
555 ##
556 sctp_generic_recvmsg
557 sctp_generic_sendmsg
558 sctp_generic_sendmsg_iov
559 sctp_peeloff
560
561 ##
562 ## Allow pselect(2) and select(2), which will be scoped by capability rights.
563 ##
564 ## XXXRW: But is it?
565 ##
566 pselect
567 select
568
569 ##
570 ## Allow I/O-related file descriptors, subject to capability rights. Use of
571 ## explicit addresses here is restricted by the system calls themselves.
572 ##
573 send
574 sendfile
575 sendmsg
576 sendto
577
578 ##
579 ## Allow setting per-process audit state, which is controlled separately by
580 ## privileges.
581 ##
582 setaudit
583 setaudit_addr
584 setauid
585
586 ##
587 ## Allow setting thread context.
588 ##
589 setcontext
590
591 ##
592 ## Allow setting current process credential state, which is controlled
593 ## separately by privilege.
594 ##
595 setegid
596 seteuid
597 setgid
598
599 ##
600 ## Allow use of the process interval timer.
601 ##
602 setitimer
603
604 ##
605 ## Allow setpriority(2).
606 ##
607 ## XXXRW: Requires scoping.
608 ##
609 setpriority
610
611 ##
612 ## Allow setting current process credential state, which is controlled
613 ## separately by privilege.
614 ##
615 setregid
616 setresgid
617 setresuid
618 setreuid
619
620 ##
621 ## Allow setting process resource limits with setrlimit(2).
622 ##
623 setrlimit
624
625 ##
626 ## Allow creating a new session with setsid(2).
627 ##
628 setsid
629
630 ##
631 ## Allow setting socket options with setsockopt(2), subject to capability
632 ## rights.
633 ##
634 ## XXXRW: Might require scoping.
635 ##
636 setsockopt
637
638 ##
639 ## Allow setting current process credential state, which is controlled
640 ## separately by privilege.
641 ##
642 setuid
643
644 ##
645 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
646 ##
647 shm_open
648
649 ##
650 ## Allow I/O-related file descriptors, subject to capability rights.
651 ##
652 shutdown
653
654 ##
655 ## Allow signal control on current process.
656 ##
657 sigaction
658 sigaltstack
659 sigblock
660 sigpending
661 sigprocmask
662 sigqueue
663 sigreturn
664 sigsetmask
665 sigstack
666 sigsuspend
667 sigtimedwait
668 sigvec
669 sigwaitinfo
670 sigwait
671
672 ##
673 ## Allow creating new socket pairs with socket(2) and socketpair(2).
674 ##
675 socket
676 socketpair
677
678 ##
679 ## Allow simple VM operations on the current process.
680 ##
681 ## XXXRW: Kernel doesn't implement this, so drop?
682 ##
683 sstk
684
685 ##
686 ## Do allow sync(2) for now, but possibly shouldn't.
687 ##
688 sync
689
690 ##
691 ## Always allow process termination with sys_exit(2).
692 ##
693 sys_exit
694
695 ##
696 ## sysarch(2) does rather diverse things, but is required on at least i386
697 ## in order to configure per-thread data. As such, it's scoped on each
698 ## architecture.
699 ##
700 sysarch
701
702 ##
703 ## Allow thread operations operating only on current process.
704 ##
705 thr_create
706 thr_exit
707 thr_kill
708
709 ##
710 ## Disallow thr_kill2(2), as it may operate beyond the current process.
711 ##
712 ## XXXRW: Requires scoping.
713 ##
714 #thr_kill2
715
716 ##
717 ## Allow thread operations operating only on current process.
718 ##
719 thr_new
720 thr_self
721 thr_set_name
722 thr_suspend
723 thr_wake
724
725 ##
726 ## Allow manipulation of the current process umask with umask(2).
727 ##
728 umask
729
730 ##
731 ## Allow submitting of process trace entries with utrace(2).
732 ##
733 utrace
734
735 ##
736 ## Allow generating UUIDs with uuidgen(2).
737 ##
738 uuidgen
739
740 ##
741 ## Allow I/O-related file descriptors, subject to capability rights.
742 ##
743 write
744 writev
745
746 ##
747 ## Allow processes to yield(2).
748 ##
749 yield
Cache object: c059fe10bcbd0cb7268d9b5b24594617
|