The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 ##
    2 ## Copyright (c) 2008-2010 Robert N. M. Watson
    3 ## All rights reserved.
    4 ##
    5 ## This software was developed at the University of Cambridge Computer
    6 ## Laboratory with support from a grant from Google, Inc.
    7 ##
    8 ## Redistribution and use in source and binary forms, with or without
    9 ## modification, are permitted provided that the following conditions
   10 ## are met:
   11 ## 1. Redistributions of source code must retain the above copyright
   12 ##    notice, this list of conditions and the following disclaimer.
   13 ## 2. Redistributions in binary form must reproduce the above copyright
   14 ##    notice, this list of conditions and the following disclaimer in the
   15 ##    documentation and/or other materials provided with the distribution.
   16 ##
   17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20 ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27 ## SUCH DAMAGE.
   28 ##
   29 ## List of system calls enabled in capability mode, one name per line.
   30 ##
   31 ## Notes:
   32 ## - sys_exit(2), abort2(2) and close(2) are very important.
   33 ## - Sorted alphabetically, please keep it that way.
   34 ##
   35 ## $FreeBSD$
   36 ##
   37 
   38 ##
   39 ## Allow ACL and MAC label operations by file descriptor, subject to
   40 ## capability rights.  Allow MAC label operations on the current process but
   41 ## we will need to scope __mac_get_pid(2).
   42 ##
   43 __acl_aclcheck_fd
   44 __acl_delete_fd
   45 __acl_get_fd
   46 __acl_set_fd
   47 __mac_get_fd
   48 #__mac_get_pid
   49 __mac_get_proc
   50 __mac_set_fd
   51 __mac_set_proc
   52 
   53 ##
   54 ## Allow sysctl(2) as we scope internal to the call; this is a global
   55 ## namespace, but there are several critical sysctls required for almost
   56 ## anything to run, such as hw.pagesize.  For now that policy lives in the
   57 ## kernel for performance and simplicity, but perhaps it could move to a
   58 ## proxying daemon in userspace.
   59 ##
   60 __sysctl
   61 
   62 ##
   63 ## Allow umtx operations as these are scoped by address space.
   64 ##
   65 ## XXRW: Need to check this very carefully.
   66 ##
   67 _umtx_op
   68 
   69 ##
   70 ## Allow process termination using abort2(2).
   71 ##
   72 abort2
   73 
   74 ##
   75 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
   76 ## relies on existing bindings on a socket, subject to capability rights.
   77 ##
   78 accept
   79 accept4
   80 
   81 ##
   82 ## Allow AIO operations by file descriptor, subject to capability rights.
   83 ##
   84 aio_cancel
   85 aio_error
   86 aio_fsync
   87 aio_read
   88 aio_return
   89 aio_suspend
   90 aio_waitcomplete
   91 aio_write
   92 
   93 ##
   94 ## audit(2) is a global operation, submitting to the global trail, but it is
   95 ## controlled by privilege, and it might be useful to be able to submit
   96 ## records from sandboxes.  For now, disallow, but we may want to think about
   97 ## providing some sort of proxy service for this.
   98 ##
   99 #audit
  100 
  101 ##
  102 ## Allow bindat(2).
  103 ##
  104 bindat
  105 
  106 ##
  107 ## Allow capability mode and capability system calls.
  108 ##
  109 cap_enter
  110 cap_fcntls_get
  111 cap_fcntls_limit
  112 cap_getmode
  113 cap_ioctls_get
  114 cap_ioctls_limit
  115 __cap_rights_get
  116 cap_rights_limit
  117 
  118 ##
  119 ## Allow read-only clock operations.
  120 ##
  121 clock_getres
  122 clock_gettime
  123 
  124 ##
  125 ## Always allow file descriptor close(2).
  126 ##
  127 close
  128 closefrom
  129 
  130 ##
  131 ## Allow connectat(2).
  132 ##
  133 connectat
  134 
  135 ##
  136 ## cpuset(2) and related calls are limited to caller's own process/thread.
  137 ##
  138 #cpuset
  139 cpuset_getaffinity
  140 #cpuset_getid
  141 cpuset_setaffinity
  142 #cpuset_setid
  143 
  144 ##
  145 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
  146 ##
  147 dup
  148 dup2
  149 
  150 ##
  151 ## Allow extended attribute operations by file descriptor, subject to
  152 ## capability rights.
  153 ##
  154 extattr_delete_fd
  155 extattr_get_fd
  156 extattr_list_fd
  157 extattr_set_fd
  158 
  159 ##
  160 ## Allow changing file flags, mode, and owner by file descriptor, subject to
  161 ## capability rights.
  162 ##
  163 fchflags
  164 fchmod
  165 fchown
  166 
  167 ##
  168 ## For now, allow fcntl(2), subject to capability rights, but this probably
  169 ## needs additional scoping.
  170 ##
  171 fcntl
  172 
  173 ##
  174 ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
  175 ## such as disallowing privilege escalation.
  176 ##
  177 fexecve
  178 
  179 ##
  180 ## Allow flock(2), subject to capability rights.
  181 ##
  182 flock
  183 
  184 ##
  185 ## Allow fork(2), even though it returns pids -- some applications seem to
  186 ## prefer this interface.
  187 ##
  188 fork
  189 
  190 ##
  191 ## Allow fpathconf(2), subject to capability rights.
  192 ##
  193 fpathconf
  194 
  195 ##
  196 ## Allow various file descriptor-based I/O operations, subject to capability
  197 ## rights.
  198 ##
  199 freebsd6_ftruncate
  200 freebsd6_lseek
  201 freebsd6_mmap
  202 freebsd6_pread
  203 freebsd6_pwrite
  204 
  205 ##
  206 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
  207 ## subject to capability rights.
  208 ##
  209 fstat
  210 fstatfs
  211 
  212 ##
  213 ## Allow further file descriptor-based I/O operations, subject to capability
  214 ## rights.
  215 ##
  216 fsync
  217 ftruncate
  218 
  219 ##
  220 ## Allow futimens(2) and futimes(2), subject to capability rights.
  221 ##
  222 futimens
  223 futimes
  224 
  225 ##
  226 ## Allow querying process audit state, subject to normal access control.
  227 ##
  228 getaudit
  229 getaudit_addr
  230 getauid
  231 
  232 ##
  233 ## Allow thread context management with getcontext(2).
  234 ##
  235 getcontext
  236 
  237 ##
  238 ## Allow directory I/O on a file descriptor, subject to capability rights.
  239 ## Originally we had separate capabilities for directory-specific read
  240 ## operations, but on BSD we allow reading the raw directory data, so we just
  241 ## rely on CAP_READ now.
  242 ##
  243 getdents
  244 getdirentries
  245 
  246 ##
  247 ## Allow querying certain trivial global state.
  248 ##
  249 getdomainname
  250 getdtablesize
  251 
  252 ##
  253 ## Allow querying current process credential state.
  254 ##
  255 getegid
  256 geteuid
  257 
  258 ##
  259 ## Allow querying certain trivial global state.
  260 ##
  261 gethostid
  262 gethostname
  263 
  264 ##
  265 ## Allow querying per-process timer.
  266 ##
  267 getitimer
  268 
  269 ##
  270 ## Allow querying current process credential state.
  271 ##
  272 getgid
  273 getgroups
  274 getlogin
  275 
  276 ##
  277 ## Allow querying certain trivial global state.
  278 ##
  279 getpagesize
  280 getpeername
  281 
  282 ##
  283 ## Allow querying certain per-process scheduling, resource limit, and
  284 ## credential state.
  285 ##
  286 ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
  287 ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
  288 ## getsid(2) needs scoping.
  289 ##
  290 getpgid
  291 getpgrp
  292 getpid
  293 getppid
  294 getpriority
  295 getresgid
  296 getresuid
  297 getrlimit
  298 getrusage
  299 getsid
  300 
  301 ##
  302 ## Allow querying socket state, subject to capability rights.
  303 ##
  304 ## XXXRW: getsockopt(2) may need more attention.
  305 ##
  306 getsockname
  307 getsockopt
  308 
  309 ##
  310 ## Allow querying the global clock.
  311 ##
  312 gettimeofday
  313 
  314 ##
  315 ## Allow querying current process credential state.
  316 ##
  317 getuid
  318 
  319 ##
  320 ## Allow ioctl(2), which hopefully will be limited by applications only to
  321 ## required commands with cap_ioctls_limit(2) syscall.
  322 ##
  323 ioctl
  324 
  325 ##
  326 ## Allow querying current process credential state.
  327 ##
  328 issetugid
  329 
  330 ##
  331 ## Allow kevent(2), as we will authorize based on capability rights on the
  332 ## target descriptor.
  333 ##
  334 kevent
  335 
  336 ##
  337 ## Allow kill(2), as we allow the process to send signals only to himself.
  338 ##
  339 kill
  340 
  341 ##
  342 ## Allow message queue operations on file descriptors, subject to capability
  343 ## rights.
  344 ## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with
  345 ## SYF_CAPENABLED.
  346 ##
  347 kmq_notify
  348 kmq_setattr
  349 kmq_timedreceive
  350 kmq_timedsend
  351 
  352 ##
  353 ## Allow kqueue(2), we will control use.
  354 ##
  355 kqueue
  356 
  357 ##
  358 ## Allow managing per-process timers.
  359 ##
  360 ktimer_create
  361 ktimer_delete
  362 ktimer_getoverrun
  363 ktimer_gettime
  364 ktimer_settime
  365 
  366 ##
  367 ## We can't allow ktrace(2) because it relies on a global namespace, but we
  368 ## might want to introduce an fktrace(2) of some sort.
  369 ##
  370 #ktrace
  371 
  372 ##
  373 ## Allow AIO operations by file descriptor, subject to capability rights.
  374 ##
  375 lio_listio
  376 
  377 ##
  378 ## Allow listen(2), subject to capability rights.
  379 ##
  380 ## XXXRW: One might argue this manipulates a global namespace.
  381 ##
  382 listen
  383 
  384 ##
  385 ## Allow I/O-related file descriptors, subject to capability rights.
  386 ##
  387 lseek
  388 
  389 ##
  390 ## Allow simple VM operations on the current process.
  391 ##
  392 madvise
  393 mincore
  394 minherit
  395 mlock
  396 mlockall
  397 
  398 ##
  399 ## Allow memory mapping a file descriptor, and updating protections, subject
  400 ## to capability rights.
  401 ##
  402 mmap
  403 mprotect
  404 
  405 ##
  406 ## Allow simple VM operations on the current process.
  407 ##
  408 msync
  409 munlock
  410 munlockall
  411 munmap
  412 
  413 ##
  414 ## Allow the current process to sleep.
  415 ##
  416 nanosleep
  417 
  418 ##
  419 ## Allow querying the global clock.
  420 ##
  421 ntp_gettime
  422 
  423 ##
  424 ## Allow AIO operations by file descriptor, subject to capability rights.
  425 ##
  426 oaio_read
  427 oaio_write
  428 
  429 ##
  430 ## Allow simple VM operations on the current process.
  431 ##
  432 obreak
  433 
  434 ##
  435 ## Allow AIO operations by file descriptor, subject to capability rights.
  436 ##
  437 olio_listio
  438 
  439 ##
  440 ## Operations relative to directory capabilities.
  441 ##
  442 chflagsat
  443 faccessat
  444 fchmodat
  445 fchownat
  446 fstatat
  447 futimesat
  448 linkat
  449 mkdirat
  450 mkfifoat
  451 mknodat
  452 openat
  453 readlinkat
  454 renameat
  455 symlinkat
  456 unlinkat
  457 utimensat
  458 
  459 ##
  460 ## Allow entry into open(2). This system call will fail, since access to the
  461 ## global file namespace has been disallowed, but allowing entry into the
  462 ## syscall means that an audit trail will be generated (which is also very
  463 ## useful for debugging).
  464 ##
  465 open
  466 
  467 ##
  468 ## Allow poll(2), which will be scoped by capability rights.
  469 ##
  470 ## XXXRW: Perhaps we don't need the OpenBSD version?
  471 ## XXXRW: We don't yet do that scoping.
  472 ##
  473 openbsd_poll
  474 
  475 ##
  476 ## Process descriptor-related system calls are allowed.
  477 ##
  478 pdfork
  479 pdgetpid
  480 pdkill
  481 #pdwait4        # not yet implemented
  482 
  483 ##
  484 ## Allow pipe(2).
  485 ##
  486 pipe
  487 pipe2
  488 
  489 ##
  490 ## Allow poll(2), which will be scoped by capability rights.
  491 ## XXXRW: We don't yet do that scoping.
  492 ##
  493 poll
  494 
  495 ##
  496 ## Allow I/O-related file descriptors, subject to capability rights.
  497 ##
  498 posix_fallocate
  499 pread
  500 preadv
  501 
  502 ##
  503 ## Allow access to profiling state on the current process.
  504 ##
  505 profil
  506 
  507 ##
  508 ## Disallow ptrace(2) for now, but we do need debugging facilities in
  509 ## capability mode, so we will want to revisit this, possibly by scoping its
  510 ## operation.
  511 ##
  512 #ptrace
  513 
  514 ##
  515 ## Allow I/O-related file descriptors, subject to capability rights.
  516 ##
  517 pwrite
  518 pwritev
  519 read
  520 readv
  521 recv
  522 recvfrom
  523 recvmsg
  524 
  525 ##
  526 ## Allow real-time scheduling primitives to be used.
  527 ##
  528 ## XXXRW: These require scoping.
  529 ##
  530 rtprio
  531 rtprio_thread
  532 
  533 ##
  534 ## Allow simple VM operations on the current process.
  535 ##
  536 sbrk
  537 
  538 ##
  539 ## Allow querying trivial global scheduler state.
  540 ##
  541 sched_get_priority_max
  542 sched_get_priority_min
  543 
  544 ##
  545 ## Allow various thread/process scheduler operations.
  546 ##
  547 ## XXXRW: Some of these require further scoping.
  548 ##
  549 sched_getparam
  550 sched_getscheduler
  551 sched_rr_get_interval
  552 sched_setparam
  553 sched_setscheduler
  554 sched_yield
  555 
  556 ##
  557 ## Allow I/O-related file descriptors, subject to capability rights.
  558 ## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c
  559 ## with SYF_CAPENABLED.
  560 ##
  561 sctp_generic_recvmsg
  562 sctp_generic_sendmsg
  563 sctp_generic_sendmsg_iov
  564 sctp_peeloff
  565 
  566 ##
  567 ## Allow pselect(2) and select(2), which will be scoped by capability rights.
  568 ##
  569 ## XXXRW: But is it?
  570 ##
  571 pselect
  572 select
  573 
  574 ##
  575 ## Allow I/O-related file descriptors, subject to capability rights.  Use of
  576 ## explicit addresses here is restricted by the system calls themselves.
  577 ##
  578 send
  579 sendfile
  580 sendmsg
  581 sendto
  582 
  583 ##
  584 ## Allow setting per-process audit state, which is controlled separately by
  585 ## privileges.
  586 ##
  587 setaudit
  588 setaudit_addr
  589 setauid
  590 
  591 ##
  592 ## Allow setting thread context.
  593 ##
  594 setcontext
  595 
  596 ##
  597 ## Allow setting current process credential state, which is controlled
  598 ## separately by privilege.
  599 ##
  600 setegid
  601 seteuid
  602 setgid
  603 
  604 ##
  605 ## Allow use of the process interval timer.
  606 ##
  607 setitimer
  608 
  609 ##
  610 ## Allow setpriority(2).
  611 ##
  612 ## XXXRW: Requires scoping.
  613 ##
  614 setpriority
  615 
  616 ##
  617 ## Allow setting current process credential state, which is controlled
  618 ## separately by privilege.
  619 ##
  620 setregid
  621 setresgid
  622 setresuid
  623 setreuid
  624 
  625 ##
  626 ## Allow setting process resource limits with setrlimit(2).
  627 ##
  628 setrlimit
  629 
  630 ##
  631 ## Allow creating a new session with setsid(2).
  632 ##
  633 setsid
  634 
  635 ##
  636 ## Allow setting socket options with setsockopt(2), subject to capability
  637 ## rights.
  638 ##
  639 ## XXXRW: Might require scoping.
  640 ##
  641 setsockopt
  642 
  643 ##
  644 ## Allow setting current process credential state, which is controlled
  645 ## separately by privilege.
  646 ##
  647 setuid
  648 
  649 ##
  650 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
  651 ##
  652 shm_open
  653 
  654 ##
  655 ## Allow I/O-related file descriptors, subject to capability rights.
  656 ##
  657 shutdown
  658 
  659 ##
  660 ## Allow signal control on current process.
  661 ##
  662 sigaction
  663 sigaltstack
  664 sigblock
  665 sigpending
  666 sigprocmask
  667 sigqueue
  668 sigreturn
  669 sigsetmask
  670 sigstack
  671 sigsuspend
  672 sigtimedwait
  673 sigvec
  674 sigwaitinfo
  675 sigwait
  676 
  677 ##
  678 ## Allow creating new socket pairs with socket(2) and socketpair(2).
  679 ##
  680 socket
  681 socketpair
  682 
  683 ##
  684 ## Allow simple VM operations on the current process.
  685 ##
  686 ## XXXRW: Kernel doesn't implement this, so drop?
  687 ##
  688 sstk
  689 
  690 ##
  691 ## Do allow sync(2) for now, but possibly shouldn't.
  692 ##
  693 sync
  694 
  695 ##
  696 ## Always allow process termination with sys_exit(2).
  697 ##
  698 sys_exit
  699 
  700 ##
  701 ## sysarch(2) does rather diverse things, but is required on at least i386
  702 ## in order to configure per-thread data.  As such, it's scoped on each
  703 ## architecture.
  704 ##
  705 sysarch
  706 
  707 ##
  708 ## Allow thread operations operating only on current process.
  709 ##
  710 thr_create
  711 thr_exit
  712 thr_kill
  713 
  714 ##
  715 ## Disallow thr_kill2(2), as it may operate beyond the current process.
  716 ##
  717 ## XXXRW: Requires scoping.
  718 ##
  719 #thr_kill2
  720 
  721 ##
  722 ## Allow thread operations operating only on current process.
  723 ##
  724 thr_new
  725 thr_self
  726 thr_set_name
  727 thr_suspend
  728 thr_wake
  729 
  730 ##
  731 ## Allow manipulation of the current process umask with umask(2).
  732 ##
  733 umask
  734 
  735 ##
  736 ## Allow submitting of process trace entries with utrace(2).
  737 ##
  738 utrace
  739 
  740 ##
  741 ## Allow generating UUIDs with uuidgen(2).
  742 ##
  743 uuidgen
  744 
  745 ##
  746 ## Allow I/O-related file descriptors, subject to capability rights.
  747 ##
  748 write
  749 writev
  750 
  751 ##
  752 ## Allow processes to yield(2).
  753 ##
  754 yield

Cache object: ea9e04e8e6a56ed3cdb74ff9bd85b971


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.