2 ## Copyright (c) 2008-2010 Robert N. M. Watson
3 ## All rights reserved.
5 ## This software was developed at the University of Cambridge Computer
6 ## Laboratory with support from a grant from Google, Inc.
8 ## Redistribution and use in source and binary forms, with or without
9 ## modification, are permitted provided that the following conditions
11 ## 1. Redistributions of source code must retain the above copyright
12 ## notice, this list of conditions and the following disclaimer.
13 ## 2. Redistributions in binary form must reproduce the above copyright
14 ## notice, this list of conditions and the following disclaimer in the
15 ## documentation and/or other materials provided with the distribution.
17 ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 ## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 ## List of system calls enabled in capability mode, one name per line.
32 ## - sys_exit(2), abort2(2) and close(2) are very important.
33 ## - Sorted alphabetically, please keep it that way.
39 ## Allow ACL and MAC label operations by file descriptor, subject to
40 ## capability rights. Allow MAC label operations on the current process but
41 ## we will need to scope __mac_get_pid(2).
54 ## Allow sysctl(2) as we scope internal to the call; this is a global
55 ## namespace, but there are several critical sysctls required for almost
56 ## anything to run, such as hw.pagesize. For now that policy lives in the
57 ## kernel for performance and simplicity, but perhaps it could move to a
58 ## proxying daemon in userspace.
63 ## Allow umtx operations as these are scoped by address space.
65 ## XXRW: Need to check this very carefully.
72 ## Allow process termination using abort2(2).
77 ## Allow accept(2) since it doesn't manipulate namespaces directly, rather
78 ## relies on existing bindings on a socket, subject to capability rights.
83 ## Allow AIO operations by file descriptor, subject to capability rights.
95 ## audit(2) is a global operation, submitting to the global trail, but it is
96 ## controlled by privilege, and it might be useful to be able to submit
97 ## records from sandboxes. For now, disallow, but we may want to think about
98 ## providing some sort of proxy service for this.
103 ## Disllow bind(2) for now, even though we support CAP_BIND.
105 ## XXXRW: Revisit this.
110 ## Allow capability mode and capability system calls.
118 ## Allow read-only clock operations.
124 ## Always allow file descriptor close(2).
130 ## Disallow connect(2) for now, despite CAP_CONNECT.
132 ## XXXRW: Revisit this.
137 ## cpuset(2) and related calls require scoping by process, but should
138 ## eventually be allowed, at least in the current process case.
147 ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table.
153 ## Allow extended attribute operations by file descriptor, subject to
154 ## capability rights.
162 ## Allow changing file flags, mode, and owner by file descriptor, subject to
163 ## capability rights.
170 ## For now, allow fcntl(2), subject to capability rights, but this probably
171 ## needs additional scoping.
176 ## Allow fexecve(2), subject to capability rights. We perform some scoping,
177 ## such as disallowing privilege escalation.
182 ## Allow flock(2), subject to capability rights.
187 ## Allow fork(2), even though it returns pids -- some applications seem to
188 ## prefer this interface.
193 ## Allow fpathconf(2), subject to capability rights.
198 ## Allow various file descriptor-based I/O operations, subject to capability
208 ## Allow querying file and file system state with fstat(2) and fstatfs(2),
209 ## subject to capability rights.
215 ## Allow further file descriptor-based I/O operations, subject to capability
222 ## Allow futimes(2), subject to capability rights.
227 ## Allow querying process audit state, subject to normal access control.
234 ## Allow thread context management with getcontext(2).
239 ## Allow directory I/O on a file descriptor, subject to capability rights.
240 ## Originally we had separate capabilities for directory-specific read
241 ## operations, but on BSD we allow reading the raw directory data, so we just
242 ## rely on CAP_READ and CAP_SEEK now.
248 ## Allow querying certain trivial global state.
253 ## Allow querying current process credential state.
259 ## Allow querying certain trivial global state.
265 ## Allow querying per-process timer.
270 ## Allow querying current process credential state.
277 ## Allow querying certain trivial global state.
283 ## Allow querying certain per-process scheduling, resource limit, and
286 ## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping
287 ## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping.
288 ## getsid(2) needs scoping.
302 ## Allow querying socket state, subject to capability rights.
304 ## XXXRW: getsockopt(2) may need more attention.
310 ## Allow querying the global clock.
315 ## Allow querying current process credential state.
320 ## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
321 ## scope, but this is a tricky one as it is also required for tty control.
322 ## We do have a capability right for this operation.
324 ## XXXRW: This needs to be revisited.
329 ## Allow querying current process credential state.
334 ## Allow kevent(2), as we will authorize based on capability rights on the
335 ## target descriptor.
340 ## Allow message queue operations on file descriptors, subject to capability
349 ## Allow kqueue(2), we will control use.
354 ## Allow managing per-process timers.
363 ## We can't allow ktrace(2) because it relies on a global namespace, but we
364 ## might want to introduce an fktrace(2) of some sort.
369 ## Allow AIO operations by file descriptor, subject to capability rights.
374 ## Allow listen(2), subject to capability rights.
376 ## XXXRW: One might argue this manipulates a global namespace.
381 ## Allow I/O-related file descriptors, subject to capability rights.
386 ## Allow MAC label operations by file descriptor, subject to capability
393 ## Allow simple VM operations on the current process.
402 ## Allow memory mapping a file descriptor, and updating protections, subject
403 ## to capability rights.
409 ## Allow simple VM operations on the current process.
417 ## Allow the current process to sleep.
422 ## Allow querying the global clock.
427 ## Allow AIO operations by file descriptor, subject to capability rights.
433 ## Allow simple VM operations on the current process.
438 ## Allow AIO operations by file descriptor, subject to capability rights.
443 ## Operations relative to directory capabilities.
457 ## Allow entry into open(2). This system call will fail, since access to the
458 ## global file namespace has been disallowed, but allowing entry into the
459 ## syscall means that an audit trail will be generated (which is also very
460 ## useful for debugging).
465 ## Allow poll(2), which will be scoped by capability rights.
467 ## XXXRW: Perhaps we don't need the OpenBSD version?
468 ## XXXRW: We don't yet do that scoping.
473 ## Process descriptor-related system calls are allowed.
478 #pdwait4 # not yet implemented
486 ## Allow poll(2), which will be scoped by capability rights.
487 ## XXXRW: We don't yet do that scoping.
492 ## Allow I/O-related file descriptors, subject to capability rights.
498 ## Allow access to profiling state on the current process.
503 ## Disallow ptrace(2) for now, but we do need debugging facilities in
504 ## capability mode, so we will want to revisit this, possibly by scoping its
510 ## Allow I/O-related file descriptors, subject to capability rights.
521 ## Allow real-time scheduling primitives to be used.
523 ## XXXRW: These require scoping.
529 ## Allow simple VM operations on the current process.
534 ## Allow querying trivial global scheduler state.
536 sched_get_priority_max
537 sched_get_priority_min
540 ## Allow various thread/process scheduler operations.
542 ## XXXRW: Some of these require further scoping.
552 ## Allow I/O-related file descriptors, subject to capability rights.
556 sctp_generic_sendmsg_iov
560 ## Allow select(2), which will be scoped by capability rights.
567 ## Allow I/O-related file descriptors, subject to capability rights. Use of
568 ## explicit addresses here is restricted by the system calls themselves.
576 ## Allow setting per-process audit state, which is controlled separately by
584 ## Allow setting thread context.
589 ## Allow setting current process credential state, which is controlled
590 ## separately by privilege.
597 ## Allow use of the process interval timer.
602 ## Allow setpriority(2).
604 ## XXXRW: Requires scoping.
609 ## Allow setting current process credential state, which is controlled
610 ## separately by privilege.
618 ## Allow setting process resource limits with setrlimit(2).
623 ## Allow creating a new session with setsid(2).
628 ## Allow setting socket options with setsockopt(2), subject to capability
631 ## XXXRW: Might require scoping.
636 ## Allow setting current process credential state, which is controlled
637 ## separately by privilege.
642 ## shm_open(2) is scoped so as to allow only access to new anonymous objects.
647 ## Allow I/O-related file descriptors, subject to capability rights.
652 ## Allow signal control on current process.
669 ## Allow creating new socket pairs with socket(2) and socketpair(2).
675 ## Allow simple VM operations on the current process.
677 ## XXXRW: Kernel doesn't implement this, so drop?
682 ## Do allow sync(2) for now, but possibly shouldn't.
687 ## Always allow process termination with sys_exit(2).
692 ## sysarch(2) does rather diverse things, but is required on at least i386
693 ## in order to configure per-thread data. As such, it's scoped on each
699 ## Allow thread operations operating only on current process.
706 ## Disallow thr_kill2(2), as it may operate beyond the current process.
708 ## XXXRW: Requires scoping.
713 ## Allow thread operations operating only on current process.
722 ## Allow manipulation of the current process umask with umask(2).
727 ## Allow submitting of process trace entries with utrace(2).
732 ## Allow generating UUIDs with uuidgen(2).
737 ## Allow I/O-related file descriptors, subject to capability rights.
743 ## Allow processes to yield(2).