1##
2## Copyright (c) 2008-2010 Robert N. M. Watson
3## All rights reserved.
4##
5## This software was developed at the University of Cambridge Computer
6## Laboratory with support from a grant from Google, Inc.
7##
8## Redistribution and use in source and binary forms, with or without
9## modification, are permitted provided that the following conditions
10## are met:
11## 1. Redistributions of source code must retain the above copyright
12##    notice, this list of conditions and the following disclaimer.
13## 2. Redistributions in binary form must reproduce the above copyright
14##    notice, this list of conditions and the following disclaimer in the
15##    documentation and/or other materials provided with the distribution.
16##
17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20## ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27## SUCH DAMAGE.
28##
29## List of system calls enabled in capability mode, one name per line.
30##
31## System calls listed here operate either fully or partially in the absence
32## of global namespaces or ambient authority.  In capability mode system calls
33## that operate only on global namespaces or require ambient authority have no
34## utility and thus are not permitted.
35##
36## Notes:
37## - sys_exit(2), abort2(2) and close(2) are very important.
38## - Sorted alphabetically, please keep it that way.
39##
40## $FreeBSD: stable/12/sys/kern/capabilities.conf 363879 2020-08-05 03:53:57Z kevans $
41##
42
43##
44## Allow ACL and MAC label operations by file descriptor, subject to
45## capability rights.  Allow MAC label operations on the current process but
46## we will need to scope __mac_get_pid(2).
47##
48__acl_aclcheck_fd
49__acl_delete_fd
50__acl_get_fd
51__acl_set_fd
52__mac_get_fd
53#__mac_get_pid
54__mac_get_proc
55__mac_set_fd
56__mac_set_proc
57
58##
59## Allow sysctl(2) as we scope internal to the call; this is a global
60## namespace, but there are several critical sysctls required for almost
61## anything to run, such as hw.pagesize.  For now that policy lives in the
62## kernel for performance and simplicity, but perhaps it could move to a
63## proxying daemon in userspace.
64##
65__sysctl
66__sysctlbyname
67
68##
69## Allow umtx operations as these are scoped by address space.
70##
71## XXRW: Need to check this very carefully.
72##
73_umtx_op
74
75##
76## Allow process termination using abort2(2).
77##
78abort2
79
80##
81## Allow accept(2) since it doesn't manipulate namespaces directly, rather
82## relies on existing bindings on a socket, subject to capability rights.
83##
84accept
85accept4
86
87##
88## Allow AIO operations by file descriptor, subject to capability rights.
89##
90aio_cancel
91aio_error
92aio_fsync
93aio_read
94aio_return
95aio_suspend
96aio_waitcomplete
97aio_write
98
99##
100## audit(2) is a global operation, submitting to the global trail, but it is
101## controlled by privilege, and it might be useful to be able to submit
102## records from sandboxes.  For now, disallow, but we may want to think about
103## providing some sort of proxy service for this.
104##
105#audit
106
107##
108## Allow bindat(2).
109##
110bindat
111
112##
113## Allow capability mode and capability system calls.
114##
115cap_enter
116cap_fcntls_get
117cap_fcntls_limit
118cap_getmode
119cap_ioctls_get
120cap_ioctls_limit
121__cap_rights_get
122cap_rights_limit
123
124##
125## Allow read-only clock operations.
126##
127clock_getres
128clock_gettime
129
130##
131## Always allow file descriptor close(2).
132##
133close
134close_range
135closefrom
136
137##
138## Allow connectat(2).
139##
140connectat
141
142##
143## cpuset(2) and related calls are limited to caller's own process/thread.
144##
145#cpuset
146cpuset_getaffinity
147cpuset_getdomain
148#cpuset_getid
149cpuset_setaffinity
150cpuset_setdomain
151#cpuset_setid
152
153##
154## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
155##
156dup
157dup2
158
159##
160## Allow extended attribute operations by file descriptor, subject to
161## capability rights.
162##
163extattr_delete_fd
164extattr_get_fd
165extattr_list_fd
166extattr_set_fd
167
168##
169## Allow changing file flags, mode, and owner by file descriptor, subject to
170## capability rights.
171##
172fchflags
173fchmod
174fchown
175
176##
177## For now, allow fcntl(2), subject to capability rights, but this probably
178## needs additional scoping.
179##
180fcntl
181
182##
183## Allow fexecve(2), subject to capability rights.  We perform some scoping,
184## such as disallowing privilege escalation.
185##
186fexecve
187
188##
189## Allow flock(2), subject to capability rights.
190##
191flock
192
193##
194## Allow fork(2), even though it returns pids -- some applications seem to
195## prefer this interface.
196##
197fork
198
199##
200## Allow fpathconf(2), subject to capability rights.
201##
202fpathconf
203
204##
205## Allow various file descriptor-based I/O operations, subject to capability
206## rights.
207##
208freebsd11_fstat
209freebsd11_fstatat
210freebsd11_getdirentries
211freebsd11_fstatfs
212freebsd11_mknodat
213freebsd6_ftruncate
214freebsd6_lseek
215freebsd6_mmap
216freebsd6_pread
217freebsd6_pwrite
218
219##
220## Allow querying file and file system state with fstat(2) and fstatfs(2),
221## subject to capability rights.
222##
223fstat
224fstatfs
225
226##
227## Allow further file descriptor-based I/O operations, subject to capability
228## rights.
229##
230fdatasync
231fsync
232ftruncate
233
234##
235## Allow futimens(2) and futimes(2), subject to capability rights.
236##
237futimens
238futimes
239
240##
241## Allow querying process audit state, subject to normal access control.
242##
243getaudit
244getaudit_addr
245getauid
246
247##
248## Allow thread context management with getcontext(2).
249##
250getcontext
251
252##
253## Allow directory I/O on a file descriptor, subject to capability rights.
254## Originally we had separate capabilities for directory-specific read
255## operations, but on BSD we allow reading the raw directory data, so we just
256## rely on CAP_READ now.
257##
258getdents
259getdirentries
260
261##
262## Allow querying certain trivial global state.
263##
264getdomainname
265
266##
267## Allow querying certain per-process resource limit state.
268##
269getdtablesize
270
271##
272## Allow querying current process credential state.
273##
274getegid
275geteuid
276
277##
278## Allow querying certain trivial global state.
279##
280gethostid
281gethostname
282
283##
284## Allow querying per-process timer.
285##
286getitimer
287
288##
289## Allow querying current process credential state.
290##
291getgid
292getgroups
293getlogin
294getloginclass
295
296##
297## Allow querying certain trivial global state.
298##
299getpagesize
300getpeername
301
302##
303## Allow querying certain per-process scheduling, resource limit, and
304## credential state.
305##
306## XXXRW: getpgid(2) needs scoping.  It's not clear if it's worth scoping
307## getppid(2).  getpriority(2) needs scoping.  getrusage(2) needs scoping.
308## getsid(2) needs scoping.
309##
310getpgid
311getpgrp
312getpid
313getppid
314getpriority
315getresgid
316getresuid
317getrlimit
318getrusage
319getsid
320
321##
322## Allow getrandom
323##
324getrandom
325
326##
327## Allow querying socket state, subject to capability rights.
328##
329## XXXRW: getsockopt(2) may need more attention.
330##
331getsockname
332getsockopt
333
334##
335## Allow querying the global clock.
336##
337gettimeofday
338
339##
340## Allow querying current process credential state.
341##
342getuid
343
344##
345## Allow ioctl(2), which hopefully will be limited by applications only to
346## required commands with cap_ioctls_limit(2) syscall.
347##
348ioctl
349
350##
351## Allow querying current process credential state.
352##
353issetugid
354
355##
356## Allow kevent(2), as we will authorize based on capability rights on the
357## target descriptor.
358##
359kevent
360
361##
362## Allow kill(2), as we allow the process to send signals only to himself.
363##
364kill
365
366##
367## Allow message queue operations on file descriptors, subject to capability
368## rights.
369## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with
370## SYF_CAPENABLED.
371##
372kmq_notify
373kmq_setattr
374kmq_timedreceive
375kmq_timedsend
376
377##
378## Allow kqueue(2), we will control use.
379##
380kqueue
381
382##
383## Allow managing per-process timers.
384##
385ktimer_create
386ktimer_delete
387ktimer_getoverrun
388ktimer_gettime
389ktimer_settime
390
391##
392## We can't allow ktrace(2) because it relies on a global namespace, but we
393## might want to introduce an fktrace(2) of some sort.
394##
395#ktrace
396
397##
398## Allow AIO operations by file descriptor, subject to capability rights.
399##
400lio_listio
401
402##
403## Allow listen(2), subject to capability rights.
404##
405## XXXRW: One might argue this manipulates a global namespace.
406##
407listen
408
409##
410## Allow I/O-related file descriptors, subject to capability rights.
411##
412lseek
413
414##
415## Allow simple VM operations on the current process.
416##
417madvise
418mincore
419minherit
420mlock
421mlockall
422
423##
424## Allow memory mapping a file descriptor, and updating protections, subject
425## to capability rights.
426##
427mmap
428mprotect
429
430##
431## Allow simple VM operations on the current process.
432##
433msync
434munlock
435munlockall
436munmap
437
438##
439## Allow the current process to sleep.
440##
441nanosleep
442
443##
444## Allow querying the global clock.
445##
446ntp_gettime
447
448##
449## Allow AIO operations by file descriptor, subject to capability rights.
450##
451oaio_read
452oaio_write
453
454##
455## Allow simple VM operations on the current process.
456##
457break
458
459##
460## Allow AIO operations by file descriptor, subject to capability rights.
461##
462olio_listio
463
464##
465## Operations relative to directory capabilities.
466##
467chflagsat
468faccessat
469fchmodat
470fchownat
471fstatat
472futimesat
473linkat
474mkdirat
475mkfifoat
476mknodat
477openat
478readlinkat
479renameat
480symlinkat
481unlinkat
482utimensat
483
484##
485## Process descriptor-related system calls are allowed.
486##
487pdfork
488pdgetpid
489pdkill
490#pdwait4	# not yet implemented
491
492##
493## Allow pipe(2).
494##
495pipe
496pipe2
497
498##
499## Allow poll(2), which will be scoped by capability rights.
500##
501poll
502ppoll
503
504##
505## Allow I/O-related file descriptors, subject to capability rights.
506##
507posix_fallocate
508pread
509preadv
510
511##
512## Allow access to profiling state on the current process.
513##
514profil
515
516##
517## Disallow ptrace(2) for now, but we do need debugging facilities in
518## capability mode, so we will want to revisit this, possibly by scoping its
519## operation.
520##
521#ptrace
522
523##
524## Allow I/O-related file descriptors, subject to capability rights.
525##
526pwrite
527pwritev
528read
529readv
530recv
531recvfrom
532recvmsg
533
534##
535## Allow real-time scheduling primitives to be used.
536##
537## XXXRW: These require scoping.
538##
539rtprio
540rtprio_thread
541
542##
543## Allow simple VM operations on the current process.
544##
545sbrk
546
547##
548## Allow querying trivial global scheduler state.
549##
550sched_get_priority_max
551sched_get_priority_min
552
553##
554## Allow various thread/process scheduler operations.
555##
556## XXXRW: Some of these require further scoping.
557##
558sched_getparam
559sched_getscheduler
560sched_rr_get_interval
561sched_setparam
562sched_setscheduler
563sched_yield
564
565##
566## Allow I/O-related file descriptors, subject to capability rights.
567## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c
568## with SYF_CAPENABLED.
569##
570sctp_generic_recvmsg
571sctp_generic_sendmsg
572sctp_generic_sendmsg_iov
573sctp_peeloff
574
575##
576## Allow pselect(2) and select(2), which will be scoped by capability rights.
577##
578## XXXRW: But is it?
579##
580pselect
581select
582
583##
584## Allow I/O-related file descriptors, subject to capability rights.  Use of
585## explicit addresses here is restricted by the system calls themselves.
586##
587send
588sendfile
589sendmsg
590sendto
591
592##
593## Allow setting per-process audit state, which is controlled separately by
594## privileges.
595##
596setaudit
597setaudit_addr
598setauid
599
600##
601## Allow setting thread context.
602##
603setcontext
604
605##
606## Allow setting current process credential state, which is controlled
607## separately by privilege.
608##
609setegid
610seteuid
611setgid
612
613##
614## Allow use of the process interval timer.
615##
616setitimer
617
618##
619## Allow setpriority(2).
620##
621## XXXRW: Requires scoping.
622##
623setpriority
624
625##
626## Allow setting current process credential state, which is controlled
627## separately by privilege.
628##
629setregid
630setresgid
631setresuid
632setreuid
633
634##
635## Allow setting process resource limits with setrlimit(2).
636##
637setrlimit
638
639##
640## Allow creating a new session with setsid(2).
641##
642setsid
643
644##
645## Allow setting socket options with setsockopt(2), subject to capability
646## rights.
647##
648## XXXRW: Might require scoping.
649##
650setsockopt
651
652##
653## Allow setting current process credential state, which is controlled
654## separately by privilege.
655##
656setuid
657
658##
659## shm_open(2) is scoped so as to allow only access to new anonymous objects.
660##
661shm_open
662
663##
664## Allow I/O-related file descriptors, subject to capability rights.
665##
666shutdown
667
668##
669## Allow signal control on current process.
670##
671sigaction
672sigaltstack
673sigblock
674sigpending
675sigprocmask
676sigqueue
677sigreturn
678sigsetmask
679sigstack
680sigsuspend
681sigtimedwait
682sigvec
683sigwaitinfo
684sigwait
685
686##
687## Allow creating new socket pairs with socket(2) and socketpair(2).
688##
689socket
690socketpair
691
692##
693## Allow simple VM operations on the current process.
694##
695## XXXRW: Kernel doesn't implement this, so drop?
696##
697sstk
698
699##
700## Do allow sync(2) for now, but possibly shouldn't.
701##
702sync
703
704##
705## Always allow process termination with sys_exit(2).
706##
707sys_exit
708
709##
710## sysarch(2) does rather diverse things, but is required on at least i386
711## in order to configure per-thread data.  As such, it's scoped on each
712## architecture.
713##
714sysarch
715
716##
717## Allow thread operations operating only on current process.
718##
719thr_create
720thr_exit
721thr_kill
722
723##
724## Disallow thr_kill2(2), as it may operate beyond the current process.
725##
726## XXXRW: Requires scoping.
727##
728#thr_kill2
729
730##
731## Allow thread operations operating only on current process.
732##
733thr_new
734thr_self
735thr_set_name
736thr_suspend
737thr_wake
738
739##
740## Allow manipulation of the current process umask with umask(2).
741##
742umask
743
744##
745## Allow submitting of process trace entries with utrace(2).
746##
747utrace
748
749##
750## Allow generating UUIDs with uuidgen(2).
751##
752uuidgen
753
754##
755## Allow I/O-related file descriptors, subject to capability rights.
756##
757write
758writev
759
760##
761## Allow processes to yield(2).
762##
763yield
764