The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/kern/capabilities.conf

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 ##
    2 ## Copyright (c) 2008-2010 Robert N. M. Watson
    3 ## All rights reserved.
    4 ##
    5 ## This software was developed at the University of Cambridge Computer
    6 ## Laboratory with support from a grant from Google, Inc.
    7 ##
    8 ## Redistribution and use in source and binary forms, with or without
    9 ## modification, are permitted provided that the following conditions
   10 ## are met:
   11 ## 1. Redistributions of source code must retain the above copyright
   12 ##    notice, this list of conditions and the following disclaimer.
   13 ## 2. Redistributions in binary form must reproduce the above copyright
   14 ##    notice, this list of conditions and the following disclaimer in the
   15 ##    documentation and/or other materials provided with the distribution.
   16 ##
   17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   20 ## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   27 ## SUCH DAMAGE.
   28 ##
   29 ## List of system calls enabled in capability mode, one name per line.
   30 ##
   31 ## Notes:
   32 ## - sys_exit(2), abort2(2) and close(2) are very important.
   33 ## - Sorted alphabetically, please keep it that way.
   34 ##
   35 ## $FreeBSD$
   36 ##
   37 
   38 ##
   39 ## Allow ACL and MAC label operations by file descriptor, subject to
   40 ## capability rights.  Allow MAC label operations on the current process but
   41 ## we will need to scope __mac_get_pid(2).
   42 ##
   43 __acl_aclcheck_fd
   44 __acl_delete_fd
   45 __acl_get_fd
   46 __acl_set_fd
   47 __mac_get_fd
   48 #__mac_get_pid
   49 __mac_get_proc
   50 __mac_set_fd
   51 __mac_set_proc
   52 
   53 ##
   54 ## Allow sysctl(2) as we scope internal to the call; this is a global
   55 ## namespace, but there are several critical sysctls required for almost
   56 ## anything to run, such as hw.pagesize.  For now that policy lives in the
   57 ## kernel for performance and simplicity, but perhaps it could move to a
   58 ## proxying daemon in userspace.
   59 ##
   60 __sysctl
   61 
   62 ##
   63 ## Allow umtx operations as these are scoped by address space.
   64 ##
   65 ## XXRW: Need to check this very carefully.
   66 ##
   67 _umtx_lock
   68 _umtx_op
   69 _umtx_unlock
   70 
   71 ##
   72 ## Allow process termination using abort2(2).
   73 ##
   74 abort2
   75 
   76 ##
   77 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
   78 ## relies on existing bindings on a socket, subject to capability rights.
   79 ##
   80 accept
   81 
   82 ##
   83 ## Allow AIO operations by file descriptor, subject to capability rights.
   84 ##
   85 aio_cancel
   86 aio_error
   87 aio_fsync
   88 aio_read
   89 aio_return
   90 aio_suspend
   91 aio_waitcomplete
   92 aio_write
   93 
   94 ##
   95 ## audit(2) is a global operation, submitting to the global trail, but it is
   96 ## controlled by privilege, and it might be useful to be able to submit
   97 ## records from sandboxes.  For now, disallow, but we may want to think about
   98 ## providing some sort of proxy service for this.
   99 ##
  100 #audit
  101 
  102 ##
  103 ## Disllow bind(2) for now, even though we support CAP_BIND.
  104 ##
  105 ## XXXRW: Revisit this.
  106 ##
  107 #bind
  108 
  109 ##
  110 ## Allow capability mode and capability system calls.
  111 ##
  112 cap_enter
  113 cap_getmode
  114 cap_getrights
  115 cap_new
  116 
  117 ##
  118 ## Allow read-only clock operations.
  119 ##
  120 clock_gettime
  121 clock_getres
  122 
  123 ##
  124 ## Always allow file descriptor close(2).
  125 ##
  126 close
  127 closefrom
  128 
  129 ##
  130 ## Disallow connect(2) for now, despite CAP_CONNECT.
  131 ##
  132 ## XXXRW: Revisit this.
  133 ##
  134 #connect
  135 
  136 ##
  137 ## cpuset(2) and related calls require scoping by process, but should
  138 ## eventually be allowed, at least in the current process case.
  139 ##
  140 #cpuset
  141 #cpuset_getaffinity
  142 #cpuset_getid
  143 #cpuset_setaffinity
  144 #cpuset_setid
  145 
  146 ##
  147 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
  148 ##
  149 dup
  150 dup2
  151 
  152 ##
  153 ## Allow extended attribute operations by file descriptor, subject to
  154 ## capability rights.
  155 ##
  156 extattr_delete_fd
  157 extattr_get_fd
  158 extattr_list_fd
  159 extattr_set_fd
  160 
  161 ##
  162 ## Allow changing file flags, mode, and owner by file descriptor, subject to
  163 ## capability rights.
  164 ##
  165 fchflags
  166 fchmod
  167 fchown
  168 
  169 ##
  170 ## For now, allow fcntl(2), subject to capability rights, but this probably
  171 ## needs additional scoping.
  172 ##
  173 fcntl
  174 
  175 ##
  176 ## Allow fexecve(2), subject to capability rights.  We perform some scoping,
  177 ## such as disallowing privilege escalation.
  178 ##
  179 fexecve
  180 
  181 ##
  182 ## Allow flock(2), subject to capability rights.
  183 ##
  184 flock
  185 
  186 ##
  187 ## Allow fork(2), even though it returns pids -- some applications seem to
  188 ## prefer this interface.
  189 ##
  190 fork
  191 
  192 ##
  193 ## Allow fpathconf(2), subject to capability rights.
  194 ##
  195 fpathconf
  196 
  197 ##
  198 ## Allow various file descriptor-based I/O operations, subject to capability
  199 ## rights.
  200 ##
  201 freebsd6_ftruncate
  202 freebsd6_lseek
  203 freebsd6_mmap
  204 freebsd6_pread
  205 freebsd6_pwrite
  206 
  207 ##
  208 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
  209 ## subject to capability rights.
  210 ##
  211 fstat
  212 fstatfs
  213 
  214 ##
  215 ## Allow further file descriptor-based I/O operations, subject to capability
  216 ## rights.
  217 ##
  218 fsync
  219 ftruncate
  220 
  221 ##
  222 ## Allow futimes(2), subject to capability rights.
  223 ##
  224 futimes
  225 
  226 ##
  227 ## Allow querying process audit state, subject to normal access control.
  228 ##
  229 getaudit
  230 getaudit_addr
  231 getauid
  232 
  233 ##
  234 ## Allow thread context management with getcontext(2).
  235 ##
  236 getcontext
  237 
  238 ##
  239 ## Allow directory I/O on a file descriptor, subject to capability rights.
  240 ## Originally we had separate capabilities for directory-specific read
  241 ## operations, but on BSD we allow reading the raw directory data, so we just
  242 ## rely on CAP_READ and CAP_SEEK now.
  243 ##
  244 getdents
  245 getdirentries
  246 
  247 ##
  248 ## Allow querying certain trivial global state.
  249 ##
  250 getdomainname
  251 
  252 ##
  253 ## Allow querying current process credential state.
  254 ##
  255 getegid
  256 geteuid
  257 
  258 ##
  259 ## Allow querying certain trivial global state.
  260 ##
  261 gethostid
  262 gethostname
  263 
  264 ##
  265 ## Allow querying per-process timer.
  266 ##
  267 getitimer
  268 
  269 ##
  270 ## Allow querying current process credential state.
  271 ##
  272 getgid
  273 getgroups
  274 getlogin
  275 
  276 ##
  277 ## Allow querying certain trivial global state.
  278 ##
  279 getpagesize
  280 getpeername
  281 
  282 ##
  283 ## Allow querying certain per-process scheduling, resource limit, and
  284 ## credential state.
  285 ##
  286 ## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
  287 ## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
  288 ## getsid(2) needs scoping.
  289 ##
  290 getpgid
  291 getpgrp
  292 getpid
  293 getppid
  294 getpriority
  295 getresgid
  296 getresuid
  297 getrlimit
  298 getrusage
  299 getsid
  300 
  301 ##
  302 ## Allow querying socket state, subject to capability rights.
  303 ##
  304 ## XXXRW: getsockopt(2) may need more attention.
  305 ##
  306 getsockname
  307 getsockopt
  308 
  309 ##
  310 ## Allow querying the global clock.
  311 ##
  312 gettimeofday
  313 
  314 ##
  315 ## Allow querying current process credential state.
  316 ##
  317 getuid
  318 
  319 ##
  320 ## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
  321 ## scope, but this is a tricky one as it is also required for tty control.
  322 ## We do have a capability right for this operation.
  323 ##
  324 ## XXXRW: This needs to be revisited.
  325 ##
  326 #ioctl
  327 
  328 ##
  329 ## Allow querying current process credential state.
  330 ##
  331 issetugid
  332 
  333 ##
  334 ## Allow kevent(2), as we will authorize based on capability rights on the
  335 ## target descriptor.
  336 ##
  337 kevent
  338 
  339 ##
  340 ## Allow message queue operations on file descriptors, subject to capability
  341 ## rights.
  342 ##
  343 kmq_notify
  344 kmq_setattr
  345 kmq_timedreceive
  346 kmq_timedsend
  347 
  348 ##
  349 ## Allow kqueue(2), we will control use.
  350 ##
  351 kqueue
  352 
  353 ##
  354 ## Allow managing per-process timers.
  355 ##
  356 ktimer_create
  357 ktimer_delete
  358 ktimer_getoverrun
  359 ktimer_gettime
  360 ktimer_settime
  361 
  362 ##
  363 ## We can't allow ktrace(2) because it relies on a global namespace, but we
  364 ## might want to introduce an fktrace(2) of some sort.
  365 ##
  366 #ktrace
  367 
  368 ##
  369 ## Allow AIO operations by file descriptor, subject to capability rights.
  370 ##
  371 lio_listio
  372 
  373 ##
  374 ## Allow listen(2), subject to capability rights.
  375 ##
  376 ## XXXRW: One might argue this manipulates a global namespace.
  377 ##
  378 listen
  379 
  380 ##
  381 ## Allow I/O-related file descriptors, subject to capability rights.
  382 ##
  383 lseek
  384 
  385 ##
  386 ## Allow MAC label operations by file descriptor, subject to capability
  387 ## rights.
  388 ##
  389 mac_get_fd
  390 mac_set_fd
  391 
  392 ##
  393 ## Allow simple VM operations on the current process.
  394 ##
  395 madvise
  396 mincore
  397 minherit
  398 mlock
  399 mlockall
  400 
  401 ##
  402 ## Allow memory mapping a file descriptor, and updating protections, subject
  403 ## to capability rights.
  404 ##
  405 mmap
  406 mprotect
  407 
  408 ##
  409 ## Allow simple VM operations on the current process.
  410 ##
  411 msync
  412 munlock
  413 munlockall
  414 munmap
  415 
  416 ##
  417 ## Allow the current process to sleep.
  418 ##
  419 nanosleep
  420 
  421 ##
  422 ## Allow querying the global clock.
  423 ##
  424 ntp_gettime
  425 
  426 ##
  427 ## Allow AIO operations by file descriptor, subject to capability rights.
  428 ##
  429 oaio_read
  430 oaio_write
  431 
  432 ##
  433 ## Allow simple VM operations on the current process.
  434 ##
  435 obreak
  436 
  437 ##
  438 ## Allow AIO operations by file descriptor, subject to capability rights.
  439 ##
  440 olio_listio
  441 
  442 ##
  443 ## Operations relative to directory capabilities.
  444 ##
  445 faccessat
  446 fstatat
  447 fchmodat
  448 fchownat
  449 futimesat
  450 linkat
  451 mkdirat
  452 mkfifoat
  453 mknodat
  454 openat
  455 readlinkat
  456 renameat
  457 symlinkat
  458 unlinkat
  459 
  460 ##
  461 ## Allow entry into open(2). This system call will fail, since access to the
  462 ## global file namespace has been disallowed, but allowing entry into the
  463 ## syscall means that an audit trail will be generated (which is also very
  464 ## useful for debugging).
  465 ##
  466 open
  467 
  468 ##
  469 ## Allow poll(2), which will be scoped by capability rights.
  470 ##
  471 ## XXXRW: Perhaps we don't need the OpenBSD version?
  472 ## XXXRW: We don't yet do that scoping.
  473 ##
  474 openbsd_poll
  475 
  476 ##
  477 ## Process descriptor-related system calls are allowed.
  478 ##
  479 pdfork
  480 pdgetpid
  481 pdkill
  482 #pdwait4        # not yet implemented
  483 
  484 ##
  485 ## Allow pipe(2).
  486 ##
  487 pipe
  488 
  489 ##
  490 ## Allow poll(2), which will be scoped by capability rights.
  491 ## XXXRW: We don't yet do that scoping.
  492 ##
  493 poll
  494 
  495 ##
  496 ## Allow I/O-related file descriptors, subject to capability rights.
  497 ##
  498 pread
  499 preadv
  500 
  501 ##
  502 ## Allow access to profiling state on the current process.
  503 ##
  504 profil
  505 
  506 ##
  507 ## Disallow ptrace(2) for now, but we do need debugging facilities in
  508 ## capability mode, so we will want to revisit this, possibly by scoping its
  509 ## operation.
  510 ##
  511 #ptrace
  512 
  513 ##
  514 ## Allow I/O-related file descriptors, subject to capability rights.
  515 ##
  516 pwrite
  517 pwritev
  518 read
  519 readv
  520 recv
  521 recvfrom
  522 recvmsg
  523 
  524 ##
  525 ## Allow real-time scheduling primitives to be used.
  526 ##
  527 ## XXXRW: These require scoping.
  528 ##
  529 rtprio
  530 rtprio_thread
  531 
  532 ##
  533 ## Allow simple VM operations on the current process.
  534 ##
  535 sbrk
  536 
  537 ##
  538 ## Allow querying trivial global scheduler state.
  539 ##
  540 sched_get_priority_max
  541 sched_get_priority_min
  542 
  543 ##
  544 ## Allow various thread/process scheduler operations.
  545 ##
  546 ## XXXRW: Some of these require further scoping.
  547 ##
  548 sched_getparam
  549 sched_getscheduler
  550 sched_rr_getinterval
  551 sched_setparam
  552 sched_setscheduler
  553 sched_yield
  554 
  555 ##
  556 ## Allow I/O-related file descriptors, subject to capability rights.
  557 ##
  558 sctp_generic_recvmsg
  559 sctp_generic_sendmsg
  560 sctp_generic_sendmsg_iov
  561 sctp_peeloff
  562 
  563 ##
  564 ## Allow select(2), which will be scoped by capability rights.
  565 ##
  566 ## XXXRW: But is it?
  567 ##
  568 select
  569 
  570 ##
  571 ## Allow I/O-related file descriptors, subject to capability rights.  Use of
  572 ## explicit addresses here is restricted by the system calls themselves.
  573 ##
  574 send
  575 sendfile
  576 sendmsg
  577 sendto
  578 
  579 ##
  580 ## Allow setting per-process audit state, which is controlled separately by
  581 ## privileges.
  582 ##
  583 setaudit
  584 setaudit_addr
  585 setauid
  586 
  587 ##
  588 ## Allow setting thread context.
  589 ##
  590 setcontext
  591 
  592 ##
  593 ## Allow setting current process credential state, which is controlled
  594 ## separately by privilege.
  595 ##
  596 setegid
  597 seteuid
  598 setgid
  599 
  600 ##
  601 ## Allow use of the process interval timer.
  602 ##
  603 setitimer
  604 
  605 ##
  606 ## Allow setpriority(2).
  607 ##
  608 ## XXXRW: Requires scoping.
  609 ##
  610 setpriority
  611 
  612 ##
  613 ## Allow setting current process credential state, which is controlled
  614 ## separately by privilege.
  615 ##
  616 setregid
  617 setresgid
  618 setresuid
  619 setreuid
  620 
  621 ##
  622 ## Allow setting process resource limits with setrlimit(2).
  623 ##
  624 setrlimit
  625 
  626 ##
  627 ## Allow creating a new session with setsid(2).
  628 ##
  629 setsid
  630 
  631 ##
  632 ## Allow setting socket options with setsockopt(2), subject to capability
  633 ## rights.
  634 ##
  635 ## XXXRW: Might require scoping.
  636 ##
  637 setsockopt
  638 
  639 ##
  640 ## Allow setting current process credential state, which is controlled
  641 ## separately by privilege.
  642 ##
  643 setuid
  644 
  645 ##
  646 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
  647 ##
  648 shm_open
  649 
  650 ##
  651 ## Allow I/O-related file descriptors, subject to capability rights.
  652 ##
  653 shutdown
  654 
  655 ##
  656 ## Allow signal control on current process.
  657 ##
  658 sigaction
  659 sigaltstack
  660 sigblock
  661 sigpending
  662 sigprocmask
  663 sigqueue
  664 sigreturn
  665 sigsetmask
  666 sigstack
  667 sigsuspend
  668 sigtimedwait
  669 sigvec
  670 sigwaitinfo
  671 
  672 ##
  673 ## Allow creating new socket pairs with socket(2) and socketpair(2).
  674 ##
  675 socket
  676 socketpair
  677 
  678 ##
  679 ## Allow simple VM operations on the current process.
  680 ##
  681 ## XXXRW: Kernel doesn't implement this, so drop?
  682 ##
  683 sstk
  684 
  685 ##
  686 ## Do allow sync(2) for now, but possibly shouldn't.
  687 ##
  688 sync
  689 
  690 ##
  691 ## Always allow process termination with sys_exit(2).
  692 ##
  693 sys_exit
  694 
  695 ##
  696 ## sysarch(2) does rather diverse things, but is required on at least i386
  697 ## in order to configure per-thread data.  As such, it's scoped on each
  698 ## architecture.
  699 ##
  700 sysarch
  701 
  702 ##
  703 ## Allow thread operations operating only on current process.
  704 ##
  705 thr_create
  706 thr_exit
  707 thr_kill
  708 
  709 ##
  710 ## Disallow thr_kill2(2), as it may operate beyond the current process.
  711 ##
  712 ## XXXRW: Requires scoping.
  713 ##
  714 #thr_kill2
  715 
  716 ##
  717 ## Allow thread operations operating only on current process.
  718 ##
  719 thr_new
  720 thr_self
  721 thr_set_name
  722 thr_suspend
  723 thr_wake
  724 
  725 ##
  726 ## Allow manipulation of the current process umask with umask(2).
  727 ##
  728 umask
  729 
  730 ##
  731 ## Allow submitting of process trace entries with utrace(2).
  732 ##
  733 utrace
  734 
  735 ##
  736 ## Allow generating UUIDs with uuidgen(2).
  737 ##
  738 uuidgen
  739 
  740 ##
  741 ## Allow I/O-related file descriptors, subject to capability rights.
  742 ##
  743 write
  744 writev
  745 
  746 ##
  747 ## Allow processes to yield(2).
  748 ##
  749 yield

Cache object: bce4186c41a057a9d5c9e1806d04ce4b


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.