1## 2## Copyright (c) 2008-2010 Robert N. M. Watson 3## All rights reserved. 4## 5## This software was developed at the University of Cambridge Computer 6## Laboratory with support from a grant from Google, Inc. 7## 8## Redistribution and use in source and binary forms, with or without 9## modification, are permitted provided that the following conditions 10## are met: 11## 1. Redistributions of source code must retain the above copyright 12## notice, this list of conditions and the following disclaimer. 13## 2. Redistributions in binary form must reproduce the above copyright 14## notice, this list of conditions and the following disclaimer in the 15## documentation and/or other materials provided with the distribution. 16## 17## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27## SUCH DAMAGE. 28## 29## List of system calls enabled in capability mode, one name per line. 30## 31## System calls listed here operate either fully or partially in the absence 32## of global namespaces or ambient authority. In capability mode system calls 33## that operate only on global namespaces or require ambient authority have no 34## utility and thus are not permitted. 35## 36## Notes: 37## - sys_exit(2), abort2(2) and close(2) are very important. 38## - Sorted alphabetically, please keep it that way. 39## 40## $FreeBSD: stable/12/sys/kern/capabilities.conf 363879 2020-08-05 03:53:57Z kevans $ 41## 42 43## 44## Allow ACL and MAC label operations by file descriptor, subject to 45## capability rights. Allow MAC label operations on the current process but 46## we will need to scope __mac_get_pid(2). 47## 48__acl_aclcheck_fd 49__acl_delete_fd 50__acl_get_fd 51__acl_set_fd 52__mac_get_fd 53#__mac_get_pid 54__mac_get_proc 55__mac_set_fd 56__mac_set_proc 57 58## 59## Allow sysctl(2) as we scope internal to the call; this is a global 60## namespace, but there are several critical sysctls required for almost 61## anything to run, such as hw.pagesize. For now that policy lives in the 62## kernel for performance and simplicity, but perhaps it could move to a 63## proxying daemon in userspace. 64## 65__sysctl 66__sysctlbyname 67 68## 69## Allow umtx operations as these are scoped by address space. 70## 71## XXRW: Need to check this very carefully. 72## 73_umtx_op 74 75## 76## Allow process termination using abort2(2). 77## 78abort2 79 80## 81## Allow accept(2) since it doesn't manipulate namespaces directly, rather 82## relies on existing bindings on a socket, subject to capability rights. 83## 84accept 85accept4 86 87## 88## Allow AIO operations by file descriptor, subject to capability rights. 89## 90aio_cancel 91aio_error 92aio_fsync 93aio_read 94aio_return 95aio_suspend 96aio_waitcomplete 97aio_write 98 99## 100## audit(2) is a global operation, submitting to the global trail, but it is 101## controlled by privilege, and it might be useful to be able to submit 102## records from sandboxes. For now, disallow, but we may want to think about 103## providing some sort of proxy service for this. 104## 105#audit 106 107## 108## Allow bindat(2). 109## 110bindat 111 112## 113## Allow capability mode and capability system calls. 114## 115cap_enter 116cap_fcntls_get 117cap_fcntls_limit 118cap_getmode 119cap_ioctls_get 120cap_ioctls_limit 121__cap_rights_get 122cap_rights_limit 123 124## 125## Allow read-only clock operations. 126## 127clock_getres 128clock_gettime 129 130## 131## Always allow file descriptor close(2). 132## 133close 134close_range 135closefrom 136 137## 138## Allow connectat(2). 139## 140connectat 141 142## 143## cpuset(2) and related calls are limited to caller's own process/thread. 144## 145#cpuset 146cpuset_getaffinity 147cpuset_getdomain 148#cpuset_getid 149cpuset_setaffinity 150cpuset_setdomain 151#cpuset_setid 152 153## 154## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. 155## 156dup 157dup2 158 159## 160## Allow extended attribute operations by file descriptor, subject to 161## capability rights. 162## 163extattr_delete_fd 164extattr_get_fd 165extattr_list_fd 166extattr_set_fd 167 168## 169## Allow changing file flags, mode, and owner by file descriptor, subject to 170## capability rights. 171## 172fchflags 173fchmod 174fchown 175 176## 177## For now, allow fcntl(2), subject to capability rights, but this probably 178## needs additional scoping. 179## 180fcntl 181 182## 183## Allow fexecve(2), subject to capability rights. We perform some scoping, 184## such as disallowing privilege escalation. 185## 186fexecve 187 188## 189## Allow flock(2), subject to capability rights. 190## 191flock 192 193## 194## Allow fork(2), even though it returns pids -- some applications seem to 195## prefer this interface. 196## 197fork 198 199## 200## Allow fpathconf(2), subject to capability rights. 201## 202fpathconf 203 204## 205## Allow various file descriptor-based I/O operations, subject to capability 206## rights. 207## 208freebsd11_fstat 209freebsd11_fstatat 210freebsd11_getdirentries 211freebsd11_fstatfs 212freebsd11_mknodat 213freebsd6_ftruncate 214freebsd6_lseek 215freebsd6_mmap 216freebsd6_pread 217freebsd6_pwrite 218 219## 220## Allow querying file and file system state with fstat(2) and fstatfs(2), 221## subject to capability rights. 222## 223fstat 224fstatfs 225 226## 227## Allow further file descriptor-based I/O operations, subject to capability 228## rights. 229## 230fdatasync 231fsync 232ftruncate 233 234## 235## Allow futimens(2) and futimes(2), subject to capability rights. 236## 237futimens 238futimes 239 240## 241## Allow querying process audit state, subject to normal access control. 242## 243getaudit 244getaudit_addr 245getauid 246 247## 248## Allow thread context management with getcontext(2). 249## 250getcontext 251 252## 253## Allow directory I/O on a file descriptor, subject to capability rights. 254## Originally we had separate capabilities for directory-specific read 255## operations, but on BSD we allow reading the raw directory data, so we just 256## rely on CAP_READ now. 257## 258getdents 259getdirentries 260 261## 262## Allow querying certain trivial global state. 263## 264getdomainname 265 266## 267## Allow querying certain per-process resource limit state. 268## 269getdtablesize 270 271## 272## Allow querying current process credential state. 273## 274getegid 275geteuid 276 277## 278## Allow querying certain trivial global state. 279## 280gethostid 281gethostname 282 283## 284## Allow querying per-process timer. 285## 286getitimer 287 288## 289## Allow querying current process credential state. 290## 291getgid 292getgroups 293getlogin 294getloginclass 295 296## 297## Allow querying certain trivial global state. 298## 299getpagesize 300getpeername 301 302## 303## Allow querying certain per-process scheduling, resource limit, and 304## credential state. 305## 306## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping 307## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. 308## getsid(2) needs scoping. 309## 310getpgid 311getpgrp 312getpid 313getppid 314getpriority 315getresgid 316getresuid 317getrlimit 318getrusage 319getsid 320 321## 322## Allow getrandom 323## 324getrandom 325 326## 327## Allow querying socket state, subject to capability rights. 328## 329## XXXRW: getsockopt(2) may need more attention. 330## 331getsockname 332getsockopt 333 334## 335## Allow querying the global clock. 336## 337gettimeofday 338 339## 340## Allow querying current process credential state. 341## 342getuid 343 344## 345## Allow ioctl(2), which hopefully will be limited by applications only to 346## required commands with cap_ioctls_limit(2) syscall. 347## 348ioctl 349 350## 351## Allow querying current process credential state. 352## 353issetugid 354 355## 356## Allow kevent(2), as we will authorize based on capability rights on the 357## target descriptor. 358## 359kevent 360 361## 362## Allow kill(2), as we allow the process to send signals only to himself. 363## 364kill 365 366## 367## Allow message queue operations on file descriptors, subject to capability 368## rights. 369## NOTE: Corresponding sysents are initialized in sys/kern/uipc_mqueue.c with 370## SYF_CAPENABLED. 371## 372kmq_notify 373kmq_setattr 374kmq_timedreceive 375kmq_timedsend 376 377## 378## Allow kqueue(2), we will control use. 379## 380kqueue 381 382## 383## Allow managing per-process timers. 384## 385ktimer_create 386ktimer_delete 387ktimer_getoverrun 388ktimer_gettime 389ktimer_settime 390 391## 392## We can't allow ktrace(2) because it relies on a global namespace, but we 393## might want to introduce an fktrace(2) of some sort. 394## 395#ktrace 396 397## 398## Allow AIO operations by file descriptor, subject to capability rights. 399## 400lio_listio 401 402## 403## Allow listen(2), subject to capability rights. 404## 405## XXXRW: One might argue this manipulates a global namespace. 406## 407listen 408 409## 410## Allow I/O-related file descriptors, subject to capability rights. 411## 412lseek 413 414## 415## Allow simple VM operations on the current process. 416## 417madvise 418mincore 419minherit 420mlock 421mlockall 422 423## 424## Allow memory mapping a file descriptor, and updating protections, subject 425## to capability rights. 426## 427mmap 428mprotect 429 430## 431## Allow simple VM operations on the current process. 432## 433msync 434munlock 435munlockall 436munmap 437 438## 439## Allow the current process to sleep. 440## 441nanosleep 442 443## 444## Allow querying the global clock. 445## 446ntp_gettime 447 448## 449## Allow AIO operations by file descriptor, subject to capability rights. 450## 451oaio_read 452oaio_write 453 454## 455## Allow simple VM operations on the current process. 456## 457break 458 459## 460## Allow AIO operations by file descriptor, subject to capability rights. 461## 462olio_listio 463 464## 465## Operations relative to directory capabilities. 466## 467chflagsat 468faccessat 469fchmodat 470fchownat 471fstatat 472futimesat 473linkat 474mkdirat 475mkfifoat 476mknodat 477openat 478readlinkat 479renameat 480symlinkat 481unlinkat 482utimensat 483 484## 485## Process descriptor-related system calls are allowed. 486## 487pdfork 488pdgetpid 489pdkill 490#pdwait4 # not yet implemented 491 492## 493## Allow pipe(2). 494## 495pipe 496pipe2 497 498## 499## Allow poll(2), which will be scoped by capability rights. 500## 501poll 502ppoll 503 504## 505## Allow I/O-related file descriptors, subject to capability rights. 506## 507posix_fallocate 508pread 509preadv 510 511## 512## Allow access to profiling state on the current process. 513## 514profil 515 516## 517## Disallow ptrace(2) for now, but we do need debugging facilities in 518## capability mode, so we will want to revisit this, possibly by scoping its 519## operation. 520## 521#ptrace 522 523## 524## Allow I/O-related file descriptors, subject to capability rights. 525## 526pwrite 527pwritev 528read 529readv 530recv 531recvfrom 532recvmsg 533 534## 535## Allow real-time scheduling primitives to be used. 536## 537## XXXRW: These require scoping. 538## 539rtprio 540rtprio_thread 541 542## 543## Allow simple VM operations on the current process. 544## 545sbrk 546 547## 548## Allow querying trivial global scheduler state. 549## 550sched_get_priority_max 551sched_get_priority_min 552 553## 554## Allow various thread/process scheduler operations. 555## 556## XXXRW: Some of these require further scoping. 557## 558sched_getparam 559sched_getscheduler 560sched_rr_get_interval 561sched_setparam 562sched_setscheduler 563sched_yield 564 565## 566## Allow I/O-related file descriptors, subject to capability rights. 567## NOTE: Corresponding sysents are initialized in sys/netinet/sctp_syscalls.c 568## with SYF_CAPENABLED. 569## 570sctp_generic_recvmsg 571sctp_generic_sendmsg 572sctp_generic_sendmsg_iov 573sctp_peeloff 574 575## 576## Allow pselect(2) and select(2), which will be scoped by capability rights. 577## 578## XXXRW: But is it? 579## 580pselect 581select 582 583## 584## Allow I/O-related file descriptors, subject to capability rights. Use of 585## explicit addresses here is restricted by the system calls themselves. 586## 587send 588sendfile 589sendmsg 590sendto 591 592## 593## Allow setting per-process audit state, which is controlled separately by 594## privileges. 595## 596setaudit 597setaudit_addr 598setauid 599 600## 601## Allow setting thread context. 602## 603setcontext 604 605## 606## Allow setting current process credential state, which is controlled 607## separately by privilege. 608## 609setegid 610seteuid 611setgid 612 613## 614## Allow use of the process interval timer. 615## 616setitimer 617 618## 619## Allow setpriority(2). 620## 621## XXXRW: Requires scoping. 622## 623setpriority 624 625## 626## Allow setting current process credential state, which is controlled 627## separately by privilege. 628## 629setregid 630setresgid 631setresuid 632setreuid 633 634## 635## Allow setting process resource limits with setrlimit(2). 636## 637setrlimit 638 639## 640## Allow creating a new session with setsid(2). 641## 642setsid 643 644## 645## Allow setting socket options with setsockopt(2), subject to capability 646## rights. 647## 648## XXXRW: Might require scoping. 649## 650setsockopt 651 652## 653## Allow setting current process credential state, which is controlled 654## separately by privilege. 655## 656setuid 657 658## 659## shm_open(2) is scoped so as to allow only access to new anonymous objects. 660## 661shm_open 662 663## 664## Allow I/O-related file descriptors, subject to capability rights. 665## 666shutdown 667 668## 669## Allow signal control on current process. 670## 671sigaction 672sigaltstack 673sigblock 674sigpending 675sigprocmask 676sigqueue 677sigreturn 678sigsetmask 679sigstack 680sigsuspend 681sigtimedwait 682sigvec 683sigwaitinfo 684sigwait 685 686## 687## Allow creating new socket pairs with socket(2) and socketpair(2). 688## 689socket 690socketpair 691 692## 693## Allow simple VM operations on the current process. 694## 695## XXXRW: Kernel doesn't implement this, so drop? 696## 697sstk 698 699## 700## Do allow sync(2) for now, but possibly shouldn't. 701## 702sync 703 704## 705## Always allow process termination with sys_exit(2). 706## 707sys_exit 708 709## 710## sysarch(2) does rather diverse things, but is required on at least i386 711## in order to configure per-thread data. As such, it's scoped on each 712## architecture. 713## 714sysarch 715 716## 717## Allow thread operations operating only on current process. 718## 719thr_create 720thr_exit 721thr_kill 722 723## 724## Disallow thr_kill2(2), as it may operate beyond the current process. 725## 726## XXXRW: Requires scoping. 727## 728#thr_kill2 729 730## 731## Allow thread operations operating only on current process. 732## 733thr_new 734thr_self 735thr_set_name 736thr_suspend 737thr_wake 738 739## 740## Allow manipulation of the current process umask with umask(2). 741## 742umask 743 744## 745## Allow submitting of process trace entries with utrace(2). 746## 747utrace 748 749## 750## Allow generating UUIDs with uuidgen(2). 751## 752uuidgen 753 754## 755## Allow I/O-related file descriptors, subject to capability rights. 756## 757write 758writev 759 760## 761## Allow processes to yield(2). 762## 763yield 764