2 .\" Copyright (c) 2011, 2013 Robert N. M. Watson
3 .\" Copyright (c) 2011 Jonathan Anderson
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd lightweight OS capability and sandbox framework
34 .Cd "options CAPABILITY_MODE"
35 .Cd "options CAPABILITIES"
38 is a lightweight OS capability and sandbox framework implementing a hybrid
39 capability system model.
40 Capabilities are unforgeable tokens of authority that can be delegated and must
41 be presented to perform an action.
43 makes file descriptors into capabilities.
46 can be used for application and library compartmentalisation, the
47 decomposition of larger bodies of software into isolated (sandboxed)
48 components in order to implement security policies and limit the impact of
49 software vulnerabilities.
52 provides two core kernel primitives:
53 .Bl -tag -width indent
55 A process mode, entered by invoking
57 in which access to global OS namespaces (such as the file system and PID
58 namespaces) is restricted; only explicitly delegated rights, referenced by
59 memory mappings or file descriptors, may be used.
60 Once set, the flag is inherited by future children processes, and may not be
63 Limit operations that can be called on file descriptors.
64 For example, a file descriptor returned by
67 .Xr cap_rights_limit 2
72 can be called, but not
74 The complete list of the capability rights can be found in the
81 requires use of alternatives to traditional POSIX APIs in order to name
82 objects using capabilities rather than global namespaces:
83 .Bl -tag -width indent
84 .It process descriptors
85 File descriptors representing processes, allowing parent processes to manage
86 child processes without requiring access to the PID namespace; described in
89 .It anonymous shared memory
90 An extension to the POSIX shared memory API to support anonymous swap objects
91 associated with file descriptors; described in greater detail in
97 limits the valid values of some parameters to traditional APIs in order to
98 restrict access to global namespaces:
99 .Bl -tag -width indent
101 Processes can only act upon their own process ID with syscalls such as
102 .Xr cpuset_setaffinity 2 .
106 .Xr cap_fcntls_limit 2 ,
108 .Xr cap_ioctls_limit 2 ,
109 .Xr cap_rights_limit 2 ,
119 .Xr cap_rights_get 3 ,
126 and was developed at the University of Cambridge.
131 .An Robert Watson Aq Mt rwatson@FreeBSD.org
133 .An Jonathan Anderson Aq Mt jonathan@FreeBSD.org
134 at the University of Cambridge, and
135 .An Ben Laurie Aq Mt benl@FreeBSD.org
137 .An Kris Kennaway Aq Mt kris@FreeBSD.org
139 .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net .