2 * Copyright (c) 2008-2010 Robert N. M. Watson
5 * This software was developed at the University of Cambridge Computer
6 * Laboratory with support from a grant from Google, Inc.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Definitions for FreeBSD capabilities facility.
35 #ifndef _SYS_CAPABILITY_H_
36 #define _SYS_CAPABILITY_H_
38 #include <sys/cdefs.h>
39 #include <sys/types.h>
44 * Possible rights on capabilities.
47 * Some system calls don't require a capability in order to perform an
48 * operation on an fd. These include: close, dup, dup2.
50 * sendfile is authorized using CAP_READ on the file and CAP_WRITE on the
53 * mmap() and aio*() system calls will need special attention as they may
54 * involve reads or writes depending a great deal on context.
56 #define CAP_READ 0x0000000000000001ULL /* read/recv */
57 #define CAP_WRITE 0x0000000000000002ULL /* write/send */
58 #define CAP_MMAP 0x0000000000000004ULL /* mmap */
59 #define CAP_MAPEXEC 0x0000000000000008ULL /* mmap(2) as exec */
60 #define CAP_MASK_VALID 0x000000000000000fULL
64 #define IN_CAPABILITY_MODE(td) (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE)
67 * Unwrap a capability if its rights mask is a superset of 'rights'.
69 * Unwrapping a non-capability is effectively a no-op; the value of fp_cap
70 * is simply copied into fpp.
72 int cap_funwrap(struct file *fp_cap, cap_rights_t rights,
74 int cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights,
75 u_char *maxprotp, struct file **fpp);
78 * For the purposes of procstat(1) and similar tools, allow kern_descrip.c to
79 * extract the rights from a capability. However, this should not be used by
80 * kernel code generally, instead cap_funwrap() should be used in order to
81 * keep all access control in one place.
83 cap_rights_t cap_rights(struct file *fp_cap);
90 * cap_enter(): Cause the process to enter capability mode, which will
91 * prevent it from directly accessing global namespaces. System calls will
92 * be limited to process-local, process-inherited, or file descriptor
93 * operations. If already in capability mode, a no-op.
95 * Currently, process-inherited operations are not properly handled -- in
96 * particular, we're interested in things like waitpid(2), kill(2), etc,
97 * being properly constrained. One possible solution is to introduce process
103 * cap_getmode(): Are we in capability mode?
105 int cap_getmode(u_int* modep);
109 #endif /* !_KERNEL */
111 #endif /* !_SYS_CAPABILITY_H_ */