The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 ##
    2 ## Copyright (c) 2008-2010 Robert N. M. Watson
    3 ## All rights reserved.
    4 ##
    5 ## This software was developed at the University of Cambridge Computer
    6 ## Laboratory with support from a grant from Google, Inc.
    7 ##
    8 ## Redistribution and use in source and binary forms, with or without
    9 ## modification, are permitted provided that the following conditions
   10 ## are met:
   11 ## 1. Redistributions of source code must retain the above copyright
   12 ##    notice, this list of conditions and the following disclaimer.
   13 ## 2. Redistributions in binary form must reproduce the above copyright
   14 ##    notice, this list of conditions and the following disclaimer in the
   15 ##    documentation and/or other materials provided with the distribution.
   16 ##
   17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20 ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27 ## SUCH DAMAGE.
   28 ##
   29 ## List of system calls enabled in capability mode, one name per line.
   30 ##
   31 ## Notes:
   32 ## - sys_exit(2), abort2(2) and close(2) are very important.
   33 ## - Sorted alphabetically, please keep it that way.
   34 ##
   35 ## $FreeBSD: releng/9.0/sys/kern/capabilities.conf 224987 2011-08-18 22:51:30Z jonathan $
   36 ##
   37 
   38 ##
   39 ## Allow ACL and MAC label operations by file descriptor, subject to
   40 ## capability rights.  Allow MAC label operations on the current process but
   41 ## we will need to scope __mac_get_pid(2).
   42 ##
   43 __acl_aclcheck_fd
   44 __acl_delete_fd
   45 __acl_get_fd
   46 __acl_set_fd
   47 __mac_get_fd
   48 #__mac_get_pid
   49 __mac_get_proc
   50 __mac_set_fd
   51 __mac_set_proc
   52 
   53 ##
   54 ## Allow sysctl(2) as we scope internal to the call; this is a global
   55 ## namespace, but there are several critical sysctls required for almost
   56 ## anything to run, such as hw.pagesize.  For now that policy lives in the
   57 ## kernel for performance and simplicity, but perhaps it could move to a
   58 ## proxying daemon in userspace.
   59 ##
   60 __sysctl
   61 
   62 ##
   63 ## Allow umtx operations as these are scoped by address space.
   64 ##
   65 ## XXRW: Need to check this very carefully.
   66 ##
   67 _umtx_lock
   68 _umtx_op
   69 _umtx_unlock
   70 
   71 ##
   72 ## Allow process termination using abort2(2).
   73 ##
   74 abort2
   75 
   76 ##
   77 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
   78 ## relies on existing bindings on a socket, subject to capability rights.
   79 ##
   80 accept
   81 
   82 ##
   83 ## Allow AIO operations by file descriptor, subject to capability rights.
   84 ##
   85 aio_cancel
   86 aio_error
   87 aio_fsync
   88 aio_read
   89 aio_return
   90 aio_suspend
   91 aio_waitcomplete
   92 aio_write
   93 
   94 ##
   95 ## audit(2) is a global operation, submitting to the global trail, but it is
   96 ## controlled by privilege, and it might be useful to be able to submit
   97 ## records from sandboxes.  For now, disallow, but we may want to think about
   98 ## providing some sort of proxy service for this.
   99 ##
  100 #audit
  101 
  102 ##
  103 ## Disllow bind(2) for now, even though we support CAP_BIND.
  104 ##
  105 ## XXXRW: Revisit this.
  106 ##
  107 #bind
  108 
  109 ##
  110 ## Allow capability mode and capability system calls.
  111 ##
  112 cap_enter
  113 cap_getmode
  114 cap_getrights
  115 cap_new
  116 
  117 ##
  118 ## Allow read-only clock operations.
  119 ##
  120 clock_gettime
  121 clock_getres
  122 
  123 ##
  124 ## Always allow file descriptor close(2).
  125 ##
  126 close
  127 closefrom
  128 
  129 ##
  130 ## Disallow connect(2) for now, despite CAP_CONNECT.
  131 ##
  132 ## XXXRW: Revisit this.
  133 ##
  134 #connect
  135 
  136 ##
  137 ## cpuset(2) and related calls require scoping by process, but should
  138 ## eventually be allowed, at least in the current process case.
  139 ##
  140 #cpuset
  141 #cpuset_getaffinity
  142 #cpuset_getid
  143 #cpuset_setaffinity
  144 #cpuset_setid
  145 
  146 ##
  147 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
  148 ##
  149 dup
  150 dup2
  151 
  152 ##
  153 ## Allow extended attribute operations by file descriptor, subject to
  154 ## capability rights.
  155 ##
  156 extattr_delete_fd
  157 extattr_get_fd
  158 extattr_list_fd
  159 extattr_set_fd
  160 
  161 ##
  162 ## Allow changing file flags, mode, and owner by file descriptor, subject to
  163 ## capability rights.
  164 ##
  165 fchflags
  166 fchmod
  167 fchown
  168 
  169 ##
  170 ## For now, allow fcntl(2), subject to capability rights, but this probably
  171 ## needs additional scoping.
  172 ##
  173 fcntl
  174 
  175 ##
  176 ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
  177 ## such as disallowing privilege escalation.
  178 ##
  179 fexecve
  180 
  181 ##
  182 ## Allow flock(2), subject to capability rights.
  183 ##
  184 flock
  185 
  186 ##
  187 ## Allow fork(2), even though it returns pids -- some applications seem to
  188 ## prefer this interface.
  189 ##
  190 fork
  191 
  192 ##
  193 ## Allow fpathconf(2), subject to capability rights.
  194 ##
  195 fpathconf
  196 
  197 ##
  198 ## Allow various file descriptor-based I/O operations, subject to capability
  199 ## rights.
  200 ##
  201 freebsd6_ftruncate
  202 freebsd6_lseek
  203 freebsd6_mmap
  204 freebsd6_pread
  205 freebsd6_pwrite
  206 
  207 ##
  208 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
  209 ## subject to capability rights.
  210 ##
  211 fstat
  212 fstatfs
  213 
  214 ##
  215 ## Allow further file descriptor-based I/O operations, subject to capability
  216 ## rights.
  217 ##
  218 fsync
  219 ftruncate
  220 
  221 ##
  222 ## Allow futimes(2), subject to capability rights.
  223 ##
  224 futimes
  225 
  226 ##
  227 ## Allow querying process audit state, subject to normal access control.
  228 ##
  229 getaudit
  230 getaudit_addr
  231 getauid
  232 
  233 ##
  234 ## Allow thread context management with getcontext(2).
  235 ##
  236 getcontext
  237 
  238 ##
  239 ## Allow directory I/O on a file descriptor, subject to capability rights.
  240 ## Originally we had separate capabilities for directory-specific read
  241 ## operations, but on BSD we allow reading the raw directory data, so we just
  242 ## rely on CAP_READ and CAP_SEEK now.
  243 ##
  244 getdents
  245 getdirentries
  246 
  247 ##
  248 ## Allow querying certain trivial global state.
  249 ##
  250 getdomainname
  251 
  252 ##
  253 ## Allow querying current process credential state.
  254 ##
  255 getegid
  256 geteuid
  257 
  258 ##
  259 ## Allow querying certain trivial global state.
  260 ##
  261 gethostid
  262 gethostname
  263 
  264 ##
  265 ## Allow querying per-process timer.
  266 ##
  267 getitimer
  268 
  269 ##
  270 ## Allow querying current process credential state.
  271 ##
  272 getgid
  273 getgroups
  274 getlogin
  275 
  276 ##
  277 ## Allow querying certain trivial global state.
  278 ##
  279 getpagesize
  280 getpeername
  281 
  282 ##
  283 ## Allow querying certain per-process scheduling, resource limit, and
  284 ## credential state.
  285 ##
  286 ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
  287 ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
  288 ## getsid(2) needs scoping.
  289 ##
  290 getpgid
  291 getpgrp
  292 getpid
  293 getppid
  294 getpriority
  295 getresgid
  296 getresuid
  297 getrlimit
  298 getrusage
  299 getsid
  300 
  301 ##
  302 ## Allow querying socket state, subject to capability rights.
  303 ##
  304 ## XXXRW: getsockopt(2) may need more attention.
  305 ##
  306 getsockname
  307 getsockopt
  308 
  309 ##
  310 ## Allow querying the global clock.
  311 ##
  312 gettimeofday
  313 
  314 ##
  315 ## Allow querying current process credential state.
  316 ##
  317 getuid
  318 
  319 ##
  320 ## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
  321 ## scope, but this is a tricky one as it is also required for tty control.
  322 ## We do have a capability right for this operation.
  323 ##
  324 ## XXXRW: This needs to be revisited.
  325 ##
  326 #ioctl
  327 
  328 ##
  329 ## Allow querying current process credential state.
  330 ##
  331 issetugid
  332 
  333 ##
  334 ## Allow kevent(2), as we will authorize based on capability rights on the
  335 ## target descriptor.
  336 ##
  337 kevent
  338 
  339 ##
  340 ## Allow message queue operations on file descriptors, subject to capability
  341 ## rights.
  342 ##
  343 kmq_notify
  344 kmq_setattr
  345 kmq_timedreceive
  346 kmq_timedsend
  347 
  348 ##
  349 ## Allow kqueue(2), we will control use.
  350 ##
  351 kqueue
  352 
  353 ##
  354 ## Allow managing per-process timers.
  355 ##
  356 ktimer_create
  357 ktimer_delete
  358 ktimer_getoverrun
  359 ktimer_gettime
  360 ktimer_settime
  361 
  362 ##
  363 ## We can't allow ktrace(2) because it relies on a global namespace, but we
  364 ## might want to introduce an fktrace(2) of some sort.
  365 ##
  366 #ktrace
  367 
  368 ##
  369 ## Allow AIO operations by file descriptor, subject to capability rights.
  370 ##
  371 lio_listio
  372 
  373 ##
  374 ## Allow listen(2), subject to capability rights.
  375 ##
  376 ## XXXRW: One might argue this manipulates a global namespace.
  377 ##
  378 listen
  379 
  380 ##
  381 ## Allow I/O-related file descriptors, subject to capability rights.
  382 ##
  383 lseek
  384 
  385 ##
  386 ## Allow MAC label operations by file descriptor, subject to capability
  387 ## rights.
  388 ##
  389 mac_get_fd
  390 mac_set_fd
  391 
  392 ##
  393 ## Allow simple VM operations on the current process.
  394 ##
  395 madvise
  396 mincore
  397 minherit
  398 mlock
  399 mlockall
  400 
  401 ##
  402 ## Allow memory mapping a file descriptor, and updating protections, subject
  403 ## to capability rights.
  404 ##
  405 mmap
  406 mprotect
  407 
  408 ##
  409 ## Allow simple VM operations on the current process.
  410 ##
  411 msync
  412 munlock
  413 munlockall
  414 munmap
  415 
  416 ##
  417 ## Allow the current process to sleep.
  418 ##
  419 nanosleep
  420 
  421 ##
  422 ## Allow querying the global clock.
  423 ##
  424 ntp_gettime
  425 
  426 ##
  427 ## Allow AIO operations by file descriptor, subject to capability rights.
  428 ##
  429 oaio_read
  430 oaio_write
  431 
  432 ##
  433 ## Allow simple VM operations on the current process.
  434 ##
  435 obreak
  436 
  437 ##
  438 ## Allow AIO operations by file descriptor, subject to capability rights.
  439 ##
  440 olio_listio
  441 
  442 ##
  443 ## Operations relative to directory capabilities.
  444 ##
  445 faccessat
  446 fstatat
  447 fchmodat
  448 futimesat
  449 mkdirat
  450 rmdirat
  451 mkfifoat
  452 mknodat
  453 openat
  454 renameat
  455 
  456 ##
  457 ## Allow entry into open(2). This system call will fail, since access to the
  458 ## global file namespace has been disallowed, but allowing entry into the
  459 ## syscall means that an audit trail will be generated (which is also very
  460 ## useful for debugging).
  461 ##
  462 open
  463 
  464 ##
  465 ## Allow poll(2), which will be scoped by capability rights.
  466 ##
  467 ## XXXRW: Perhaps we don't need the OpenBSD version?
  468 ## XXXRW: We don't yet do that scoping.
  469 ##
  470 openbsd_poll
  471 
  472 ##
  473 ## Process descriptor-related system calls are allowed.
  474 ##
  475 pdfork
  476 pdgetpid
  477 pdkill
  478 #pdwait4        # not yet implemented
  479 
  480 ##
  481 ## Allow pipe(2).
  482 ##
  483 pipe
  484 
  485 ##
  486 ## Allow poll(2), which will be scoped by capability rights.
  487 ## XXXRW: We don't yet do that scoping.
  488 ##
  489 poll
  490 
  491 ##
  492 ## Allow I/O-related file descriptors, subject to capability rights.
  493 ##
  494 pread
  495 preadv
  496 
  497 ##
  498 ## Allow access to profiling state on the current process.
  499 ##
  500 profil
  501 
  502 ##
  503 ## Disallow ptrace(2) for now, but we do need debugging facilities in
  504 ## capability mode, so we will want to revisit this, possibly by scoping its
  505 ## operation.
  506 ##
  507 #ptrace
  508 
  509 ##
  510 ## Allow I/O-related file descriptors, subject to capability rights.
  511 ##
  512 pwrite
  513 pwritev
  514 read
  515 readv
  516 recv
  517 recvfrom
  518 recvmsg
  519 
  520 ##
  521 ## Allow real-time scheduling primitives to be used.
  522 ##
  523 ## XXXRW: These require scoping.
  524 ##
  525 rtprio
  526 rtprio_thread
  527 
  528 ##
  529 ## Allow simple VM operations on the current process.
  530 ##
  531 sbrk
  532 
  533 ##
  534 ## Allow querying trivial global scheduler state.
  535 ##
  536 sched_get_priority_max
  537 sched_get_priority_min
  538 
  539 ##
  540 ## Allow various thread/process scheduler operations.
  541 ##
  542 ## XXXRW: Some of these require further scoping.
  543 ##
  544 sched_getparam
  545 sched_getscheduler
  546 sched_rr_getinterval
  547 sched_setparam
  548 sched_setscheduler
  549 sched_yield
  550 
  551 ##
  552 ## Allow I/O-related file descriptors, subject to capability rights.
  553 ##
  554 sctp_generic_recvmsg
  555 sctp_generic_sendmsg
  556 sctp_generic_sendmsg_iov
  557 sctp_peeloff
  558 
  559 ##
  560 ## Allow select(2), which will be scoped by capability rights.
  561 ##
  562 ## XXXRW: But is it?
  563 ##
  564 select
  565 
  566 ##
  567 ## Allow I/O-related file descriptors, subject to capability rights.  Use of
  568 ## explicit addresses here is restricted by the system calls themselves.
  569 ##
  570 send
  571 sendfile
  572 sendmsg
  573 sendto
  574 
  575 ##
  576 ## Allow setting per-process audit state, which is controlled separately by
  577 ## privileges.
  578 ##
  579 setaudit
  580 setaudit_addr
  581 setauid
  582 
  583 ##
  584 ## Allow setting thread context.
  585 ##
  586 setcontext
  587 
  588 ##
  589 ## Allow setting current process credential state, which is controlled
  590 ## separately by privilege.
  591 ##
  592 setegid
  593 seteuid
  594 setgid
  595 
  596 ##
  597 ## Allow use of the process interval timer.
  598 ##
  599 setitimer
  600 
  601 ##
  602 ## Allow setpriority(2).
  603 ##
  604 ## XXXRW: Requires scoping.
  605 ##
  606 setpriority
  607 
  608 ##
  609 ## Allow setting current process credential state, which is controlled
  610 ## separately by privilege.
  611 ##
  612 setregid
  613 setresgid
  614 setresuid
  615 setreuid
  616 
  617 ##
  618 ## Allow setting process resource limits with setrlimit(2).
  619 ##
  620 setrlimit
  621 
  622 ##
  623 ## Allow creating a new session with setsid(2).
  624 ##
  625 setsid
  626 
  627 ##
  628 ## Allow setting socket options with setsockopt(2), subject to capability
  629 ## rights.
  630 ##
  631 ## XXXRW: Might require scoping.
  632 ##
  633 setsockopt
  634 
  635 ##
  636 ## Allow setting current process credential state, which is controlled
  637 ## separately by privilege.
  638 ##
  639 setuid
  640 
  641 ##
  642 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
  643 ##
  644 shm_open
  645 
  646 ##
  647 ## Allow I/O-related file descriptors, subject to capability rights.
  648 ##
  649 shutdown
  650 
  651 ##
  652 ## Allow signal control on current process.
  653 ##
  654 sigaction
  655 sigaltstack
  656 sigblock
  657 sigpending
  658 sigprocmask
  659 sigqueue
  660 sigreturn
  661 sigsetmask
  662 sigstack
  663 sigsuspend
  664 sigtimedwait
  665 sigvec
  666 sigwaitinfo
  667 
  668 ##
  669 ## Allow creating new socket pairs with socket(2) and socketpair(2).
  670 ##
  671 socket
  672 socketpair
  673 
  674 ##
  675 ## Allow simple VM operations on the current process.
  676 ##
  677 ## XXXRW: Kernel doesn't implement this, so drop?
  678 ##
  679 sstk
  680 
  681 ##
  682 ## Do allow sync(2) for now, but possibly shouldn't.
  683 ##
  684 sync
  685 
  686 ##
  687 ## Always allow process termination with sys_exit(2).
  688 ##
  689 sys_exit
  690 
  691 ##
  692 ## sysarch(2) does rather diverse things, but is required on at least i386
  693 ## in order to configure per-thread data.  As such, it's scoped on each
  694 ## architecture.
  695 ##
  696 sysarch
  697 
  698 ##
  699 ## Allow thread operations operating only on current process.
  700 ##
  701 thr_create
  702 thr_exit
  703 thr_kill
  704 
  705 ##
  706 ## Disallow thr_kill2(2), as it may operate beyond the current process.
  707 ##
  708 ## XXXRW: Requires scoping.
  709 ##
  710 #thr_kill2
  711 
  712 ##
  713 ## Allow thread operations operating only on current process.
  714 ##
  715 thr_new
  716 thr_self
  717 thr_set_name
  718 thr_suspend
  719 thr_wake
  720 
  721 ##
  722 ## Allow manipulation of the current process umask with umask(2).
  723 ##
  724 umask
  725 
  726 ##
  727 ## Allow submitting of process trace entries with utrace(2).
  728 ##
  729 utrace
  730 
  731 ##
  732 ## Allow generating UUIDs with uuidgen(2).
  733 ##
  734 uuidgen
  735 
  736 ##
  737 ## Allow I/O-related file descriptors, subject to capability rights.
  738 ##
  739 write
  740 writev
  741 
  742 ##
  743 ## Allow processes to yield(2).
  744 ##
  745 yield

Cache object: 9d87ee6f03ff3bc167e9de0907af1575


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.