2 .\" Copyright (c) 2000 Robert N. M. Watson
3 .\" All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
14 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" TrustedBSD Project - support for POSIX.1e process capabilities
35 .Nd introduction to the POSIX.1e Capability security API
37 .Fd #include <sys/types.h>
38 .Fd #include <sys/capability.h>
40 The POSIX.1e Capability interface allows processes to manipulate their
41 capability set, subject to capability manipulation restrictions imposed
42 by the kernel. Using the capability API, a process may request a copy
43 of its capability state, modify the copy of the state, and resubmit the
44 state for use, if permitted.
46 A variety of functions are provided for manipulating and managing
47 process capability state and working store state:
48 .Bl -tag -width cap_from_textXX
50 This function is described in
52 and may be used to allocate a fresh capability structure with no capability
55 This function is described in
57 and clears all capability flags in a capability structure.
59 This function is described in
61 and may be used to duplicate a capability structure.
63 This function is described in
65 and may be used to free a capability structure.
67 This function is described in
69 and may be used to convert a text-form capability to its internal
72 This function, described in
74 allows retrieval of a capability flag value from capability state in
77 This function, described in
79 allows retrieval of capability state for the current process.
81 This function, described in
83 allows setting of capability flag values in a capability structure held
86 This function, described in
88 allows setting of the current process capability state.
90 This function, described in
92 converts a capability from its internal representation to one that is
93 (more) readable by humans.
96 A number of capabilities exist, each mapping to the ability to violate
97 a particular aspect of the system policy.
98 Each capability in a capability set has three flags, indicating the
99 status of the capability with respect to the file or process it is
101 .Bl -tag -width CAP_INHERITABLEXX
103 If true, the capability will be used as necessary during accesses by
105 .It Dv CAP_INHERITABLE
106 If true, the capability will be passed through
108 invocations as appropriate.
110 If true, the capability is permitted for the process.
113 Capability inheritence occurs when processes invoke the
115 call, resulting in internal invocation of the
118 At that time, a processes capabilities are re-evaluated using a set of
120 These algorithms take into account the starting capabilities of the process
121 and the capabilities of the file being executed.
125 pP` = (fP & X) | (fI & pI)
129 p[IPE] represent the starting processes inheritted, permitted, and
131 p'[IPE] represent the new inheritted, permitted, and effective sets.
132 f[IPE] represent the file's inheritted, permitted, and effective sets.
133 X represents a global bounding set, currently un-implemented.
135 The following capabilities are defined and implemented in
138 .Bl -tag -width CAP_MAC_RELABEL_SUBJ
140 This capability overrides the restriction that a process cannot change the
141 user ID of a file it owns, and the restriction that the group ID supplied in
144 function shall be equal to either the group ID or one of the supplementary
145 group IDs of the calling process.
146 .It Dv CAP_DAC_EXECUTE
147 This capability overrides file mode execute access restrictions when accessing
150 ACLs are available, this capability overrides the ACL execute access
151 restrictions when accessing an object.
153 This capability overrides file mode write access restrictions when access an
156 ACLs are available, this capability also overrides the ACL write access
157 restrictions when accessing an object.
158 .It Dv CAP_DAC_READ_SEARCH
159 This capability overrides file mode read and search access restrictions
160 when accessing an object, and, if
162 ACLs are available, this capability overrides the ACL read and search access
163 restrictions when accessing an object.
165 This capability overrides the requirements that the user ID associated
166 with a process be equal to the file owner ID, execpt in the cases where the
167 CAP_FSETID capability is applicable.
168 In general, this capability, when effective, permits a process to perform
169 all the functions that any file owner would have for their files.
171 This capability overrides the following restrictions: that the effective
172 user ID of the calling process shall match the file owner when setting the
173 set-user-ID (S_ISUID) and set-group-ID (S_ISGID) bits on the file; that
174 the effective group ID or one of the supplementary group IDs of the calling
175 process shall match the group ID of the file when setting the set-group-ID
176 bit of the file; and that the set-user-ID and set-group-ID bits of the file
177 mode shall be cleared upon successful return from
180 Thie capability shall override the restriction that the real or effective
181 user ID of a process sending a signal must match the real of effective user
182 ID of the receiving process.
184 This capability is not available on the the FreeBSD platform.
185 On other platforms, this capabiity overrides the restriction that a process
186 cannot create or delete a hard link to a directory.
188 This capability overrides the restriction that a process cannot
189 set the file capability state of a file.
191 This capability overrides the restriction in the
193 function that a process cannot change its real group ID or change its
194 effective group ID to a value other than its real group ID.
196 This capability overrides the restriction in the
198 function that a process cannot change its real user ID or change its
199 effective user ID to a value other than the current real user ID.
200 .It Dv CAP_MAC_DOWNGRADE
201 This capability override the restriction that no process may downgrade
202 the MAC label of a file.
204 This capability overrides mandatory read access restrictions when accessing
206 .It Dv CAP_MAC_RELABEL_SUBJ
207 This capability overrides the restriction that a process may not modify
209 .It Dv CAP_MAC_UPGRADE
210 This capability overrides the restriction that no process may upgrade the
213 This capability overrides the mandatory write access restrictions when
215 .It Dv CAP_AUDIT_CONTROL
216 This capability overrides the restriction that a process cannot modify
217 audit control parameters.
218 .It Dv CAP_AUDIT_WRITE
219 This capability overrides the restriction that a process cannot write data
220 into the system audit trail.
222 This capability overrides the restriction that a process cannot expand its
223 capability set when invoking
225 .It Dv CAP_SYS_SETFFLAG
226 This capability overrides the restriction that a process cannot manipulate
227 the system file flags on a file system object.
228 For portability, equivilent to
229 .Dv CAP_LINUX_IMMUTABLE .
230 .It Dv CAP_NET_BIND_SERVICE
231 This capability overrides network namespace restrictions on process's
235 For example, this capability, when effective, can be used by a process to
236 bind a port number below 1024 in the IPv4 or IPv6 port spaces.
237 .It Dv CAP_NET_BROADCAST
240 This capability overrides the restriction that a process cannot create a
244 .It Dv CAP_SYS_MODULE
245 This capability overrides the restriction that a process cannot load or
246 unload kernel modules.
248 .It Dv CAP_SYS_CHROOT
249 This capability overrides the restriction that a process cannot invoke the
254 .It Dv CAP_SYS_PTRACE
255 This capability overrides the restriction that a process can only invoke
258 system call to debug another process if the target process has identical
259 real and effective user IDs.
261 This capability overrides the restriction that a process cannot enable,
262 configure, or disable system process accounting.
265 This capability overrides the restriction that a process cannot invoke
270 This capability overrides the restrictions that a process cannot use the
272 system call to decrease the priority to below that of itself, or modify the
273 priority of another process.
274 .It Dv CAP_SYS_RESOURCE
275 This capability overrides restrictions on how a process may modify its
276 soft and hard resource limits.
278 This capability overrides the restriction that a process may not modify the
279 system date and time.
280 .It Dv CAP_SYS_TTY_CONFIG
282 This capability overrides the restriction that a process may not create
286 Documentation of the internal kernel interfaces backing these calls may
289 The system calls between the internal interfaces and the public library
290 routines may change over time, and as such are not documented. They are
291 not intended to be called directly without going through the library.
292 .Sh IMPLEMENTATION NOTES
293 Support for POSIX.1e interfaces and features in
295 is still under development at this time.
297 POSIX.1e assigns security labels to all objects, extending the security
298 functionality described in POSIX.1. These additional labels provide
299 fine-grained discretionary access control, fine-grained capabilities,
300 and labels necessary for mandatory access control. POSIX.2c describes
301 a set of userland utilities for manipulating these labels. These userland
302 utilities are not bundled with
304 so as to discourage their
305 use in the short term.
319 POSIX.1e is described in IEEE POSIX.1e draft 17. Discussion
320 of the draft continues on the cross-platform POSIX.1e implementation
321 mailing list. To join this list, see the
323 POSIX.1e implementation
324 page for more information.
326 Support for POSIX.1e Capabilities was developed as part of the TrustedBSD
328 POSIX.1e support was introduced in
330 and development continues.
332 .An Robert N M Watson
333 .An Ilmar S Habibulin
337 is fully implemented, supporting kernel code is not yet available in the
339 It is slated for inclusion prior to