cap_new(2): cap_new - System calls to manipulate capabilities

CAP_NEW(2) FreeBSD System Calls Manual CAP_NEW(2)

NAME

cap_new, cap_getrightsSystem calls to manipulate capabilities

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <sys/capability.h>
int
cap_new(int fd, cap_rights_t rights);
int
cap_getrights(int fd, cap_rights_t *rightsp);

DESCRIPTION

Capabilities are special file descriptors derived from an existing file descriptor, such as one returned by fhopen(2), kqueue(2), mq_open(2), open(2), pipe(2), shm_open(2), socket(2), or socketpair(2), but with a restricted set of permitted operations determined by a rights mask set when the capability is created. These restricted rights cannot be changed after the capability is created, although further capabilities with yet more restricted rights may be created from an existing capability. In every other sense, a capability behaves in the same way as the file descriptor it was created from.
cap_new() creates a new capability for the existing file descriptor fd, and returns a file descriptor for it. Operations on the capability will be limited to those permitted by rights, which is static for the lifetime of the capability. If fd refers to an existing capability, then rights must be equal to or a subset of the rights on that capability. As with dup(2) and dup2(2), many properties are shared between the new capability and the existing file descriptor, including open file flags, blocking disposition, and file offset. Many applications will prefer to use the cap_limitfd(3) library call, part of libcapsicum(3), as it offers a more convenient interface.
cap_getrights() queries the rights associated with the capability referred to by file descriptor fd.
These system calls, when combined with cap_enter(2), may be used to construct process sandboxes with highly granular rights assignment.

RIGHTS

The following rights may be specified in a new capability rights mask:
CAP_ACCEPT
Permit accept(2).
CAP_ACL_CHECK
Permit checking of an ACL on a file descriptor; there is no cross-reference for this system call.
CAP_ACL_DELETE
Permit acl_delete_fd_np(2).
CAP_ACL_GET
Permit acl_get_fd(2) and acl_get_fd_np(2).
CAP_ACL_SET
Permit acl_set_fd(2) and acl_set_fd_np(2).
CAP_BIND
Permit bind(2). Note that sockets can also become bound implicitly as a result of connect(2) or send(2), and that socket options set with setsockopt(2) may also affect binding behavior.
CAP_CONNECT
Permit connect(2); also required for sendto(2) with a non-NULL destination address.
CAP_EVENT
Permit select(2), poll(2), and kevent(2) to be used in monitoring the file descriptor for events.
CAP_FEXECVE
Permit fexecve(2); CAP_READ will also be required.
CAP_EXTATTR_DELETE
Permit extattr_delete_fd(2).
CAP_EXTATTR_GET
Permit extattr_get_fd(2).
CAP_EXTATTR_LIST
Permit extattr_list_fd(2).
CAP_EXTATTR_SET
Permit extattr_set_fd(2).
CAP_FCHDIR
Permit fchdir(2).
CAP_FCHFLAGS
Permit fchflags(2).
CAP_FCHMOD
Permit fchmod(2).
CAP_FCHOWN
Permit fchown(2).
CAP_FCNTL
Permit fcntl(2); be aware that this call provides indirect access to other operations, such as flock(2).
CAP_FLOCK
Permit flock(2) and related calls.
CAP_FPATHCONF
Permit fpathconf(2).
CAP_FSCK
Permit UFS background-fsck operations on the descriptor.
CAP_FSTAT
Permit fstat(2).
CAP_FSTATFS
Permit fstatfs(2).
CAP_FSYNC
Permit aio_fsync(2) and fsync(2).
CAP_FTRUNCATE
Permit ftruncate(2).
CAP_FUTIMES
Permit futimes(2).
CAP_GETPEERNAME
Permit getpeername(2).
CAP_GETSOCKNAME
Permit getsockname(2).
CAP_GETSOCKOPT
Permit getsockopt(2).
CAP_IOCTL
Permit ioctl(2). Be aware that this system call has enormous scope, including potentially global scope for some objects.
CAP_KEVENT
Permit kevent(2); CAP_EVENT is also required on file descriptors that will be monitored using kevent(2).
CAP_LISTEN
Permit listen(2); not much use (generally) without CAP_BIND.
CAP_LOOKUP
Permit the file descriptor to be used as a starting directory for calls such as linkat(2), openat(2), and unlinkat(2). Note that these calls are not available in capability mode as they manipulate a global name space; see cap_enter(2) for details.
CAP_MAC_GET
Permit mac_get_fd(2).
CAP_MAC_SET
Permit mac_set_fd(2).
CAP_MMAP
Permit mmap(2); specific invocations may also require CAP_READ or CAP_WRITE.
CAP_PDGETPID
Permit pdgetpid(2).
CAP_PDKILL
Permit pdkill(2).
CAP_PDWAIT
Permit pdwait4(2).
CAP_PEELOFF
Permit sctp_peeloff(2).
CAP_READ
Allow aio_read(2), pread(2), read(2), recv(2), recvfrom(2), recvmsg(2), and related system calls.
For files and other seekable objects, CAP_SEEK may also be required.
CAP_REVOKE
Permit frevoke(2) in certain ABI compatibility modes that support this system call.
CAP_SEEK
Permit operations that seek on the file descriptor, such as lseek(2), but also required for I/O system calls that modify the file offset, such as read(2) and write(2).
CAP_SEM_GETVALUE
Permit sem_getvalue(3).
CAP_SEM_POST
Permit sem_post(3).
CAP_SEM_WAIT
Permit sem_wait(3) and sem_trywait(3).
CAP_SETSOCKOPT
Permit setsockopt(2); this controls various aspects of socket behavior and may affect binding, connecting, and other behaviors with global scope.
CAP_SHUTDOWN
Permit explicit shutdown(2); closing the socket will also generally shut down any connections on it.
CAP_TTYHOOK
Allow configuration of TTY hooks, such as snp(4), on the file descriptor.
CAP_WRITE
Allow aio_write(2), pwrite(2), send(2), sendmsg(2), sendto(2), write(2), and related system calls.
For files and other seekable objects, CAP_SEEK may also be required.
For sendto(2) with a non-NULL connection address, CAP_CONNECT is also required.

CAVEAT

The cap_new() system call and the capabilities it creates may be used to assign fine-grained rights to sandboxed processes running in capability mode. However, the semantics of objects accessed via file descriptors are complex, so caution should be exercised in passing object capabilities into sandboxes.

RETURN VALUES

If successful, cap_new() returns a non-negative integer, termed a file descriptor. It returns -1 on failure, and sets errno to indicate the error.

The cap_getrights() function returns the value 0 if successful; otherwise the value -1 is returned and the global variable errno is set to indicate the error.

ERRORS

cap_new() may return the following errors:
[EBADF]
The fd argument is not a valid active descriptor.
[EINVAL]
An invalid right has been requested in rights.
[EMFILE]
The process has already reached its limit for open file descriptors.
[ENFILE]
The system file table is full.
[EPERM]
rights contains requested rights not present in the current rights mask associated with the capability referenced by fd, if any.

cap_getrights() may return the following errors:
[EBADF]
The fd argument is not a valid active descriptor.
[EINVAL]
The fd argument is not a capability.

HISTORY

Support for capabilities and capabilities mode was developed as part of the TrustedBSD Project.

BUGS

This man page should list the set of permitted system calls more specifically for each capability right.
Capability rights sometimes have unclear indirect impacts, which should be documented, or at least hinted at.

AUTHORS

These functions and the capability facility were created by Robert N. M. Watson at the University of Cambridge Computer Laboratory with support from a grant from Google, Inc.
July 20, 2011 FreeBSD 9.0


Categories

  1. System (20)
    1. FreeBSD (5)
    2. Linux (9)
  2. Email (2)
  3. DNS (2)
  4. Databases (1)
  5. WebServer (27)
 
Copyright © 2012-2015 HowToUnix - *nix Howtos and Tutorials
All Rights Reserved.