The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 ##
    2 ## Copyright (c) 2008-2010 Robert N. M. Watson
    3 ## All rights reserved.
    4 ##
    5 ## This software was developed at the University of Cambridge Computer
    6 ## Laboratory with support from a grant from Google, Inc.
    7 ##
    8 ## Redistribution and use in source and binary forms, with or without
    9 ## modification, are permitted provided that the following conditions
   10 ## are met:
   11 ## 1. Redistributions of source code must retain the above copyright
   12 ##    notice, this list of conditions and the following disclaimer.
   13 ## 2. Redistributions in binary form must reproduce the above copyright
   14 ##    notice, this list of conditions and the following disclaimer in the
   15 ##    documentation and/or other materials provided with the distribution.
   16 ##
   17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20 ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27 ## SUCH DAMAGE.
   28 ##
   29 ## List of system calls enabled in capability mode, one name per line.
   30 ##
   31 ## System calls listed here operate either fully or partially in the absence
   32 ## of global namespaces or ambient authority.  In capability mode system calls
   33 ## that operate only on global namespaces or require ambient authority have no
   34 ## utility and thus are not permitted.
   35 ##
   36 ## Notes:
   37 ## - sys_exit(2), abort2(2) and close(2) are very important.
   38 ## - Sorted alphabetically, please keep it that way.
   39 ##
   40 ## $FreeBSD$
   41 ##
   42 
   43 ##
   44 ## Allow ACL and MAC label operations by file descriptor, subject to
   45 ## capability rights.  Allow MAC label operations on the current process but
   46 ## we will need to scope __mac_get_pid(2).
   47 ##
   48 __acl_aclcheck_fd
   49 __acl_delete_fd
   50 __acl_get_fd
   51 __acl_set_fd
   52 __mac_get_fd
   53 #__mac_get_pid
   54 __mac_get_proc
   55 __mac_set_fd
   56 __mac_set_proc
   57 
   58 ##
   59 ## Allow creating special file descriptors like eventfd(2).
   60 ##
   61 __specialfd
   62 
   63 ##
   64 ## Allow sysctl(2) as we scope internal to the call; this is a global
   65 ## namespace, but there are several critical sysctls required for almost
   66 ## anything to run, such as hw.pagesize.  For now that policy lives in the
   67 ## kernel for performance and simplicity, but perhaps it could move to a
   68 ## proxying daemon in userspace.
   69 ##
   70 __sysctl
   71 __sysctlbyname
   72 
   73 ##
   74 ## Allow umtx operations as these are scoped by address space.
   75 ##
   76 ## XXRW: Need to check this very carefully.
   77 ##
   78 _umtx_op
   79 
   80 ##
   81 ## Allow process termination using abort2(2).
   82 ##
   83 abort2
   84 
   85 ##
   86 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
   87 ## relies on existing bindings on a socket, subject to capability rights.
   88 ##
   89 accept
   90 accept4
   91 
   92 ##
   93 ## Allow AIO operations by file descriptor, subject to capability rights.
   94 ##
   95 aio_cancel
   96 aio_error
   97 aio_fsync
   98 aio_read
   99 aio_return
  100 aio_suspend
  101 aio_waitcomplete
  102 aio_write
  103 aio_writev
  104 aio_readv
  105 
  106 ##
  107 ## audit(2) is a global operation, submitting to the global trail, but it is
  108 ## controlled by privilege, and it might be useful to be able to submit
  109 ## records from sandboxes.  For now, disallow, but we may want to think about
  110 ## providing some sort of proxy service for this.
  111 ##
  112 #audit
  113 
  114 ##
  115 ## Allow bindat(2).
  116 ##
  117 bindat
  118 
  119 ##
  120 ## Allow capability mode and capability system calls.
  121 ##
  122 cap_enter
  123 cap_fcntls_get
  124 cap_fcntls_limit
  125 cap_getmode
  126 cap_ioctls_get
  127 cap_ioctls_limit
  128 __cap_rights_get
  129 cap_rights_limit
  130 
  131 ##
  132 ## Allow read-only clock operations.
  133 ##
  134 clock_getres
  135 clock_gettime
  136 
  137 ##
  138 ## Always allow file descriptor close(2).
  139 ##
  140 close
  141 close_range
  142 closefrom
  143 
  144 ##
  145 ## Allow connectat(2).
  146 ##
  147 connectat
  148 
  149 ##
  150 ## copy_file_range(2) reads from one descriptor and writes to the other.
  151 ##
  152 copy_file_range
  153 
  154 ##
  155 ## cpuset(2) and related calls are limited to caller's own process/thread.
  156 ##
  157 #cpuset
  158 cpuset_getaffinity
  159 cpuset_getdomain
  160 #cpuset_getid
  161 cpuset_setaffinity
  162 cpuset_setdomain
  163 #cpuset_setid
  164 
  165 ##
  166 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
  167 ##
  168 dup
  169 dup2
  170 
  171 ##
  172 ## Allow extended attribute operations by file descriptor, subject to
  173 ## capability rights.
  174 ##
  175 extattr_delete_fd
  176 extattr_get_fd
  177 extattr_list_fd
  178 extattr_set_fd
  179 
  180 ##
  181 ## Allow changing file flags, mode, and owner by file descriptor, subject to
  182 ## capability rights.
  183 ##
  184 fchflags
  185 fchmod
  186 fchown
  187 
  188 ##
  189 ## For now, allow fcntl(2), subject to capability rights, but this probably
  190 ## needs additional scoping.
  191 ##
  192 fcntl
  193 
  194 ##
  195 ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
  196 ## such as disallowing privilege escalation.
  197 ##
  198 fexecve
  199 
  200 ##
  201 ## Allow flock(2), subject to capability rights.
  202 ##
  203 flock
  204 
  205 ##
  206 ## Allow fork(2), even though it returns pids -- some applications seem to
  207 ## prefer this interface.
  208 ##
  209 fork
  210 
  211 ##
  212 ## Allow fpathconf(2), subject to capability rights.
  213 ##
  214 fpathconf
  215 
  216 ##
  217 ## Allow various file descriptor-based I/O operations, subject to capability
  218 ## rights.
  219 ##
  220 freebsd11_fstat
  221 freebsd11_fstatat
  222 freebsd11_getdirentries
  223 freebsd11_fstatfs
  224 freebsd11_mknodat
  225 freebsd6_ftruncate
  226 freebsd6_lseek
  227 freebsd6_mmap
  228 freebsd6_pread
  229 freebsd6_pwrite
  230 
  231 ##
  232 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
  233 ## subject to capability rights.
  234 ##
  235 fstat
  236 fstatfs
  237 
  238 ##
  239 ## Allow further file descriptor-based I/O operations, subject to capability
  240 ## rights.
  241 ##
  242 fdatasync
  243 fsync
  244 ftruncate
  245 
  246 ##
  247 ## Allow futimens(2) and futimes(2), subject to capability rights.
  248 ##
  249 futimens
  250 futimes
  251 
  252 ##
  253 ## Allow querying process audit state, subject to normal access control.
  254 ##
  255 getaudit
  256 getaudit_addr
  257 getauid
  258 
  259 ##
  260 ## Allow thread context management with getcontext(2).
  261 ##
  262 getcontext
  263 
  264 ##
  265 ## Allow directory I/O on a file descriptor, subject to capability rights.
  266 ## Originally we had separate capabilities for directory-specific read
  267 ## operations, but on BSD we allow reading the raw directory data, so we just
  268 ## rely on CAP_READ now.
  269 ##
  270 getdents
  271 getdirentries
  272 
  273 ##
  274 ## Allow querying certain trivial global state.
  275 ##
  276 getdomainname
  277 
  278 ##
  279 ## Allow querying certain per-process resource limit state.
  280 ##
  281 getdtablesize
  282 
  283 ##
  284 ## Allow querying current process credential state.
  285 ##
  286 getegid
  287 geteuid
  288 
  289 ##
  290 ## Allow querying certain trivial global state.
  291 ##
  292 gethostid
  293 gethostname
  294 
  295 ##
  296 ## Allow querying per-process timer.
  297 ##
  298 getitimer
  299 
  300 ##
  301 ## Allow querying current process credential state.
  302 ##
  303 getgid
  304 getgroups
  305 getlogin
  306 getloginclass
  307 
  308 ##
  309 ## Allow querying certain trivial global state.
  310 ##
  311 getpagesize
  312 getpeername
  313 
  314 ##
  315 ## Allow querying certain per-process scheduling, resource limit, and
  316 ## credential state.
  317 ##
  318 ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
  319 ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
  320 ## getsid(2) needs scoping.
  321 ##
  322 getpgid
  323 getpgrp
  324 getpid
  325 getppid
  326 getpriority
  327 getresgid
  328 getresuid
  329 getrlimit
  330 getrusage
  331 getsid
  332 
  333 ##
  334 ## Allow getrandom
  335 ##
  336 getrandom
  337 
  338 ##
  339 ## Allow querying socket state, subject to capability rights.
  340 ##
  341 ## XXXRW: getsockopt(2) may need more attention.
  342 ##
  343 getsockname
  344 getsockopt
  345 
  346 ##
  347 ## Allow querying the global clock.
  348 ##
  349 gettimeofday
  350 
  351 ##
  352 ## Allow querying current process credential state.
  353 ##
  354 getuid
  355 
  356 ##
  357 ## Allow ioctl(2), which hopefully will be limited by applications only to
  358 ## required commands with cap_ioctls_limit(2) syscall.
  359 ##
  360 ioctl
  361 
  362 ##
  363 ## Allow querying current process credential state.
  364 ##
  365 issetugid
  366 
  367 ##
  368 ## Allow kevent(2), as we will authorize based on capability rights on the
  369 ## target descriptor.
  370 ##
  371 kevent
  372 
  373 ##
  374 ## Allow kill(2), as we allow the process to send signals only to himself.
  375 ##
  376 kill
  377 
  378 ##
  379 ## Allow message queue operations on file descriptors, subject to capability
  380 ## rights.
  381 ## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with
  382 ## SYF_CAPENABLED.
  383 ##
  384 kmq_notify
  385 kmq_setattr
  386 kmq_timedreceive
  387 kmq_timedsend
  388 
  389 ##
  390 ## Allow kqueue(2), we will control use.
  391 ##
  392 kqueue
  393 
  394 ##
  395 ## Allow managing per-process timers.
  396 ##
  397 ktimer_create
  398 ktimer_delete
  399 ktimer_getoverrun
  400 ktimer_gettime
  401 ktimer_settime
  402 
  403 ##
  404 ## We can't allow ktrace(2) because it relies on a global namespace, but we
  405 ## might want to introduce an fktrace(2) of some sort.
  406 ##
  407 #ktrace
  408 
  409 ##
  410 ## Allow AIO operations by file descriptor, subject to capability rights.
  411 ##
  412 lio_listio
  413 
  414 ##
  415 ## Allow listen(2), subject to capability rights.
  416 ##
  417 ## XXXRW: One might argue this manipulates a global namespace.
  418 ##
  419 listen
  420 
  421 ##
  422 ## Allow I/O-related file descriptors, subject to capability rights.
  423 ##
  424 lseek
  425 
  426 ##
  427 ## Allow simple VM operations on the current process.
  428 ##
  429 madvise
  430 mincore
  431 minherit
  432 mlock
  433 mlockall
  434 
  435 ##
  436 ## Allow memory mapping a file descriptor, and updating protections, subject
  437 ## to capability rights.
  438 ##
  439 mmap
  440 mprotect
  441 
  442 ##
  443 ## Allow simple VM operations on the current process.
  444 ##
  445 msync
  446 munlock
  447 munlockall
  448 munmap
  449 
  450 ##
  451 ## Allow the current process to sleep.
  452 ##
  453 nanosleep
  454 
  455 ##
  456 ## Allow querying the global clock.
  457 ##
  458 ntp_gettime
  459 
  460 ##
  461 ## Allow AIO operations by file descriptor, subject to capability rights.
  462 ##
  463 oaio_read
  464 oaio_write
  465 
  466 ##
  467 ## Allow simple VM operations on the current process.
  468 ##
  469 break
  470 
  471 ##
  472 ## Allow AIO operations by file descriptor, subject to capability rights.
  473 ##
  474 olio_listio
  475 
  476 ##
  477 ## Operations relative to directory capabilities.
  478 ##
  479 chflagsat
  480 faccessat
  481 fchmodat
  482 fchownat
  483 fstatat
  484 futimesat
  485 linkat
  486 mkdirat
  487 mkfifoat
  488 mknodat
  489 openat
  490 readlinkat
  491 renameat
  492 symlinkat
  493 unlinkat
  494 funlinkat
  495 utimensat
  496 
  497 ##
  498 ## Process descriptor-related system calls are allowed.
  499 ##
  500 pdfork
  501 pdgetpid
  502 pdkill
  503 #pdwait4        # not yet implemented
  504 
  505 ##
  506 ## Allow pipe(2).
  507 ##
  508 pipe
  509 pipe2
  510 
  511 ##
  512 ## Allow poll(2), which will be scoped by capability rights.
  513 ##
  514 poll
  515 ppoll
  516 
  517 ##
  518 ## Allow I/O-related file descriptors, subject to capability rights.
  519 ##
  520 posix_fallocate
  521 pread
  522 preadv
  523 
  524 ##
  525 ## Allow access to profiling state on the current process.
  526 ##
  527 profil
  528 
  529 ##
  530 ## Disallow ptrace(2) for now, but we do need debugging facilities in
  531 ## capability mode, so we will want to revisit this, possibly by scoping its
  532 ## operation.
  533 ##
  534 #ptrace
  535 
  536 ##
  537 ## Allow I/O-related file descriptors, subject to capability rights.
  538 ##
  539 pwrite
  540 pwritev
  541 read
  542 readv
  543 recv
  544 recvfrom
  545 recvmsg
  546 
  547 ##
  548 ## Allow real-time scheduling primitives to be used.
  549 ##
  550 ## XXXRW: These require scoping.
  551 ##
  552 rtprio
  553 rtprio_thread
  554 
  555 ##
  556 ## Allow simple VM operations on the current process.
  557 ##
  558 sbrk
  559 
  560 ##
  561 ## Allow querying trivial global scheduler state.
  562 ##
  563 sched_get_priority_max
  564 sched_get_priority_min
  565 sched_getcpu
  566 
  567 ##
  568 ## Allow various thread/process scheduler operations.
  569 ##
  570 ## XXXRW: Some of these require further scoping.
  571 ##
  572 sched_getparam
  573 sched_getscheduler
  574 sched_rr_get_interval
  575 sched_setparam
  576 sched_setscheduler
  577 sched_yield
  578 
  579 ##
  580 ## Allow I/O-related file descriptors, subject to capability rights.
  581 ## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c
  582 ## with SYF_CAPENABLED.
  583 ##
  584 sctp_generic_recvmsg
  585 sctp_generic_sendmsg
  586 sctp_generic_sendmsg_iov
  587 sctp_peeloff
  588 
  589 ##
  590 ## Allow pselect(2) and select(2), which will be scoped by capability rights.
  591 ##
  592 ## XXXRW: But is it?
  593 ##
  594 pselect
  595 select
  596 
  597 ##
  598 ## Allow I/O-related file descriptors, subject to capability rights.  Use of
  599 ## explicit addresses here is restricted by the system calls themselves.
  600 ##
  601 send
  602 sendfile
  603 sendmsg
  604 sendto
  605 
  606 ##
  607 ## Allow setting per-process audit state, which is controlled separately by
  608 ## privileges.
  609 ##
  610 setaudit
  611 setaudit_addr
  612 setauid
  613 
  614 ##
  615 ## Allow setting thread context.
  616 ##
  617 setcontext
  618 
  619 ##
  620 ## Allow setting current process credential state, which is controlled
  621 ## separately by privilege.
  622 ##
  623 setegid
  624 seteuid
  625 setgid
  626 
  627 ##
  628 ## Allow use of the process interval timer.
  629 ##
  630 setitimer
  631 
  632 ##
  633 ## Allow setpriority(2).
  634 ##
  635 ## XXXRW: Requires scoping.
  636 ##
  637 setpriority
  638 
  639 ##
  640 ## Allow setting current process credential state, which is controlled
  641 ## separately by privilege.
  642 ##
  643 setregid
  644 setresgid
  645 setresuid
  646 setreuid
  647 
  648 ##
  649 ## Allow setting process resource limits with setrlimit(2).
  650 ##
  651 setrlimit
  652 
  653 ##
  654 ## Allow creating a new session with setsid(2).
  655 ##
  656 setsid
  657 
  658 ##
  659 ## Allow setting socket options with setsockopt(2), subject to capability
  660 ## rights.
  661 ##
  662 ## XXXRW: Might require scoping.
  663 ##
  664 setsockopt
  665 
  666 ##
  667 ## Allow setting current process credential state, which is controlled
  668 ## separately by privilege.
  669 ##
  670 setuid
  671 
  672 ##
  673 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
  674 ##
  675 shm_open
  676 shm_open2
  677 
  678 ##
  679 ## Allow I/O-related file descriptors, subject to capability rights.
  680 ##
  681 shutdown
  682 
  683 ##
  684 ## Allow signal control on current process.
  685 ##
  686 sigaction
  687 sigaltstack
  688 sigblock
  689 sigfastblock
  690 sigpending
  691 sigprocmask
  692 sigqueue
  693 sigreturn
  694 sigsetmask
  695 sigstack
  696 sigsuspend
  697 sigtimedwait
  698 sigvec
  699 sigwaitinfo
  700 sigwait
  701 
  702 ##
  703 ## Allow creating new socket pairs with socket(2) and socketpair(2).
  704 ##
  705 socket
  706 socketpair
  707 
  708 ##
  709 ## Allow simple VM operations on the current process.
  710 ##
  711 ## XXXRW: Kernel doesn't implement this, so drop?
  712 ##
  713 sstk
  714 
  715 ##
  716 ## Do allow sync(2) for now, but possibly shouldn't.
  717 ##
  718 sync
  719 
  720 ##
  721 ## Always allow process termination with sys_exit(2).
  722 ##
  723 sys_exit
  724 
  725 ##
  726 ## sysarch(2) does rather diverse things, but is required on at least i386
  727 ## in order to configure per-thread data.  As such, it's scoped on each
  728 ## architecture.
  729 ##
  730 sysarch
  731 
  732 ##
  733 ## Allow thread operations operating only on current process.
  734 ##
  735 thr_create
  736 thr_exit
  737 thr_kill
  738 
  739 ##
  740 ## Disallow thr_kill2(2), as it may operate beyond the current process.
  741 ##
  742 ## XXXRW: Requires scoping.
  743 ##
  744 #thr_kill2
  745 
  746 ##
  747 ## Allow thread operations operating only on current process.
  748 ##
  749 thr_new
  750 thr_self
  751 thr_set_name
  752 thr_suspend
  753 thr_wake
  754 
  755 ##
  756 ## Allow manipulation of the current process umask with umask(2).
  757 ##
  758 umask
  759 
  760 ##
  761 ## Allow submitting of process trace entries with utrace(2).
  762 ##
  763 utrace
  764 
  765 ##
  766 ## Allow generating UUIDs with uuidgen(2).
  767 ##
  768 uuidgen
  769 
  770 ##
  771 ## Allow I/O-related file descriptors, subject to capability rights.
  772 ##
  773 write
  774 writev
  775 
  776 ##
  777 ## Allow processes to yield(2).
  778 ##
  779 yield

Cache object: a63b3dc8475a33919ffddd75e46c9966


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.