2 .\" Copyright (c) 2008-2010 Robert N. M. Watson
3 .\" All rights reserved.
5 .\" This software was developed at the University of Cambridge Computer
6 .\" Laboratory with support from a grant from Google, Inc.
8 .\" Redistribution and use in source and binary forms, with or without
9 .\" modification, are permitted provided that the following conditions
11 .\" 1. Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
13 .\" 2. Redistributions in binary form must reproduce the above copyright
14 .\" notice, this list of conditions and the following disclaimer in the
15 .\" documentation and/or other materials provided with the distribution.
17 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 .Nd System calls to manipulate capabilities
43 .Fn cap_new "int fd" "cap_rights_t rights"
45 .Fn cap_getrights "int fd" "cap_rights_t *rightsp"
47 Capabilities are special file descriptors derived from an existing file
48 descriptor, such as one returned by
58 but with a restricted set of permitted operations determined by a rights
59 mask set when the capability is created.
60 These restricted rights cannot be changed after the capability is created,
61 although further capabilities with yet more restricted rights may be created
62 from an existing capability.
63 In every other sense, a capability behaves in the same way as the file
64 descriptor it was created from.
67 creates a new capability for the existing file descriptor
69 and returns a file descriptor for it.
70 Operations on the capability will be limited to those permitted by
72 which is static for the lifetime of the capability.
75 refers to an existing capability, then
77 must be equal to or a subset of the rights on that capability.
82 many properties are shared between the new capability and the existing file
83 descriptor, including open file flags, blocking disposition, and file offset.
84 Many applications will prefer to use the
88 as it offers a more convenient interface.
91 queries the rights associated with the capability referred to by file
95 These system calls, when combined with
97 may be used to construct process sandboxes with highly granular rights
100 The following rights may be specified in a new capability rights mask:
101 .Bl -tag -width CAP_EXTATTR_DELETE
106 Permit checking of an ACL on a file descriptor; there is no cross-reference
107 for this system call.
108 .It Dv CAP_ACL_DELETE
110 .Xr acl_delete_fd_np 3 .
115 .Xr acl_get_fd_np 3 .
120 .Xr acl_set_fd_np 3 .
124 Note that sockets can also become bound implicitly as a result of
128 and that socket options set with
130 may also affect binding behavior.
136 with a non-NULL destination address.
143 to be used in monitoring the file descriptor for events.
148 will also be required.
149 .It Dv CAP_EXTATTR_DELETE
151 .Xr extattr_delete_fd 2 .
152 .It Dv CAP_EXTATTR_GET
154 .Xr extattr_get_fd 2 .
155 .It Dv CAP_EXTATTR_LIST
157 .Xr extattr_list_fd 2 .
158 .It Dv CAP_EXTATTR_SET
160 .Xr extattr_set_fd 2 .
176 be aware that this call provides indirect access to other operations, such as
186 Permit UFS background-fsck operations on the descriptor.
205 .It Dv CAP_GETPEERNAME
208 .It Dv CAP_GETSOCKNAME
211 .It Dv CAP_GETSOCKOPT
217 Be aware that this system call has enormous scope, including potentially
218 global scope for some objects.
223 is also required on file descriptors that will be monitored using
228 not much use (generally) without
231 Permit the file descriptor to be used as a starting directory for calls such
237 Note that these calls are not available in capability mode as they manipulate
238 a global name space; see
250 specific invocations may also require
275 and related system calls.
277 For files and other seekable objects,
279 may also be required.
283 in certain ABI compatibility modes that support this system call.
285 Permit operations that seek on the file descriptor, such as
287 but also required for I/O system calls that modify the file offset, such as
291 .It Dv CAP_SEM_GETVALUE
302 .It Dv CAP_SETSOCKOPT
305 this controls various aspects of socket behavior and may affect binding,
306 connecting, and other behaviors with global scope.
310 closing the socket will also generally shut down any connections on it.
312 Allow configuration of TTY hooks, such as
314 on the file descriptor.
323 and related system calls.
325 For files and other seekable objects,
327 may also be required.
331 with a non-NULL connection address,
338 system call and the capabilities it creates may be used to assign
339 fine-grained rights to sandboxed processes running in capability mode.
340 However, the semantics of objects accessed via file descriptors are complex,
341 so caution should be exercised in passing object capabilities into sandboxes.
345 returns a non-negative integer, termed a file descriptor.
346 It returns -1 on failure, and sets
348 to indicate the error.
350 .Rv -std cap_getrights
353 may return the following errors:
358 argument is not a valid active descriptor.
360 An invalid right has been requested in
363 The process has already reached its limit for open file descriptors.
365 The system file table is full.
368 contains requested rights not present in the current rights mask associated
369 with the capability referenced by
375 may return the following errors:
380 argument is not a valid active descriptor.
384 argument is not a capability.
396 .Xr extattr_delete_fd 2 ,
397 .Xr extattr_get_fd 2 ,
398 .Xr extattr_list_fd 2 ,
399 .Xr extattr_set_fd 2 ,
447 .Xr acl_delete_fd_np 3 ,
449 .Xr acl_get_fd_np 3 ,
450 .Xr acl_set_fd_np 3 ,
462 Support for capabilities and capabilities mode was developed as part of the
466 These functions and the capability facility were created by
467 .An "Robert N. M. Watson"
468 at the University of Cambridge Computer Laboratory with support from a grant
471 This man page should list the set of permitted system calls more specifically
472 for each capability right.
474 Capability rights sometimes have unclear indirect impacts, which should be
475 documented, or at least hinted at.