1 // Copyright (c) 2015-2017 Nuxi, https://nuxi.nl/
3 // Redistribution and use in source and binary forms, with or without
4 // modification, are permitted provided that the following conditions
6 // 1. Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer.
8 // 2. Redistributions in binary form must reproduce the above copyright
9 // notice, this list of conditions and the following disclaimer in the
10 // documentation and/or other materials provided with the distribution.
12 // THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13 // ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14 // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15 // ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16 // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17 // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18 // OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19 // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21 // OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 // <sys/capsicum.h> - file descriptor access controls
27 // - CAP_FDATASYNC, CAP_POSIX_FADVISE, CAP_POSIX_FALLOCATE, CAP_READDIR,
29 // fdatasync(), posix_fadvise(), posix_fallocate(), readdir() and
30 // readlink() can be controlled independently in this environment.
31 // - cap_rights_get_explicit() and cap_rights_limit_explicit():
32 // Capabilities are expressed as a pair of base and inheriting rights
33 // in this environment.
37 // Per-process working directory is not available. Use *at() instead.
38 // - CAP_FCHFLAGS, CAP_CHFLAGSAT, CAP_FCHMOD, CAP_FCHMODAT, CAP_FCHOWN
40 // Filesystem access control management not available.
42 // File locking not available.
46 // Not applicable to this environment.
48 // Filesystem-level statistics not available.
49 // - CAP_ACCEPT, CAP_BIND, CAP_BINDAT, CAP_CONNECT, CAP_CONNECTAT,
50 // CAP_GETPEERNAME, CAP_GETSOCKNAME and CAP_LISTEN:
51 // Only anonymous, addressless sockets are supported.
52 // - CAP_KQUEUE, CAP_KQUEUE_CHANGE and CAP_KQUEUE_EVENT:
53 // BSD kqueue is not available.
55 // Only anonymous pipes are supported.
57 // Device nodes cannot be created.
58 // - CAP_GETSOCKOPT and CAP_SETSOCKOPT:
59 // Socket parameters cannot be adjusted.
61 // Mandatory Access Control not available.
63 // Semaphores are not represented as file descriptors.
64 // - CAP_IOCTL and cap_ioctls_*():
65 // ioctl() not available.
67 // fcntl() rights cannot be adjusted granularly.
69 // Terminal management is not available.
71 // Process identifiers are not exposed.
73 // Explicit signal delivery is not supported.
75 // Extended inode attributes not available.
77 // Access Control Lists not available.
79 #ifndef _SYS_CAPSICUM_H_
80 #define _SYS_CAPSICUM_H_
85 typedef __uint64_t __cap_rights_bits_t
;
87 __cap_rights_bits_t __value
;
90 #define _CAP_BIT(f) (_UINT64_C(1) << (f))
91 #define _CAP_SENTINEL _UINT64_C(0)
94 #define CAP_CREATE (_CAP_BIT(10) | _CAP_BIT(14))
95 #define CAP_FCNTL _CAP_BIT(3)
96 #define CAP_FDATASYNC _CAP_BIT(0)
97 #define CAP_FEXECVE _CAP_BIT(32)
98 #define CAP_FSYNC _CAP_BIT(4)
99 #define CAP_FTRUNCATE _CAP_BIT(20)
100 #define CAP_MMAP _CAP_BIT(26)
101 #define CAP_MMAP_R (CAP_MMAP | CAP_READ)
102 #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
103 #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
104 #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
105 #define CAP_MMAP_W (CAP_MMAP | CAP_WRITE)
106 #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
107 #define CAP_MMAP_X (CAP_MMAP | _CAP_BIT(27))
108 #define CAP_POSIX_FADVISE _CAP_BIT(7) // Extension.
109 #define CAP_POSIX_FALLOCATE _CAP_BIT(8) // Extension.
110 #define CAP_PREAD (CAP_READ | _CAP_BIT(2))
111 #define CAP_PWRITE (CAP_WRITE | _CAP_BIT(2))
112 #define CAP_READ _CAP_BIT(1)
113 #define CAP_READDIR _CAP_BIT(15) // Extension.
114 #define CAP_SEEK (CAP_SEEK_TELL | _CAP_BIT(2))
115 #define CAP_SEEK_TELL _CAP_BIT(5)
116 #define CAP_WRITE _CAP_BIT(6)
119 #define CAP_FSTAT _CAP_BIT(19)
120 #define CAP_FSTATAT _CAP_BIT(22)
121 #define CAP_FUTIMES _CAP_BIT(21)
122 #define CAP_FUTIMESAT _CAP_BIT(23)
123 #define CAP_LINKAT_SOURCE _CAP_BIT(12)
124 #define CAP_LINKAT_TARGET _CAP_BIT(13)
125 #define CAP_LOOKUP _CAP_BIT(14)
126 #define CAP_MKDIRAT _CAP_BIT(9)
127 #define CAP_READLINKAT _CAP_BIT(16) // Extension.
128 #define CAP_RENAMEAT_SOURCE _CAP_BIT(17)
129 #define CAP_RENAMEAT_TARGET _CAP_BIT(18)
130 #define CAP_SYMLINKAT _CAP_BIT(24)
131 #define CAP_UNLINKAT _CAP_BIT(25)
133 // Socket operations.
134 #define CAP_RECV CAP_READ
135 #define CAP_SEND CAP_WRITE
136 #define CAP_SHUTDOWN _CAP_BIT(39)
138 // Commonly used socket operations.
139 #define CAP_SOCK_CLIENT (CAP_RECV | CAP_SEND | CAP_SHUTDOWN)
140 #define CAP_SOCK_SERVER (CAP_RECV | CAP_SEND | CAP_SHUTDOWN)
143 #define CAP_EVENT _CAP_BIT(28)
145 // Process descriptors.
146 #define CAP_PDWAIT _CAP_BIT(30)
148 #define cap_rights_clear(...) __cap_rights_clear(__VA_ARGS__, _CAP_SENTINEL)
149 #define cap_rights_init(...) __cap_rights_init(__VA_ARGS__, _CAP_SENTINEL)
150 #define cap_rights_is_set(...) __cap_rights_is_set(__VA_ARGS__, _CAP_SENTINEL)
151 #define cap_rights_set(...) __cap_rights_set(__VA_ARGS__, _CAP_SENTINEL)
154 void CAP_ALL(cap_rights_t
*);
155 void CAP_NONE(cap_rights_t
*);
156 cap_rights_t
*__cap_rights_clear(cap_rights_t
*, ...);
157 cap_rights_t
*__cap_rights_init(cap_rights_t
*, ...);
158 _Bool
__cap_rights_is_set(const cap_rights_t
*, ...);
159 cap_rights_t
*__cap_rights_set(cap_rights_t
*, ...);
161 int cap_getmode(unsigned int *);
162 _Bool
cap_rights_contains(const cap_rights_t
*, const cap_rights_t
*);
163 int cap_rights_get(int, cap_rights_t
*);
164 int cap_rights_get_explicit(int, cap_rights_t
*, cap_rights_t
*);
165 int cap_rights_limit(int, const cap_rights_t
*);
166 int cap_rights_limit_explicit(int, const cap_rights_t
*, const cap_rights_t
*);
167 cap_rights_t
*cap_rights_merge(cap_rights_t
*, const cap_rights_t
*);
168 cap_rights_t
*cap_rights_remove(cap_rights_t
*, const cap_rights_t
*);
169 _Bool
cap_sandboxed(void);
172 #if _CLOUDLIBC_INLINE_FUNCTIONS
173 static __inline
void _CAP_ALL(cap_rights_t
*__rights
) {
175 CAP_CREATE
| CAP_EVENT
| CAP_FCNTL
| CAP_FDATASYNC
| CAP_FEXECVE
|
176 CAP_FSTAT
| CAP_FSTATAT
| CAP_FSYNC
| CAP_FTRUNCATE
| CAP_FUTIMES
|
177 CAP_FUTIMESAT
| CAP_LINKAT_SOURCE
| CAP_LINKAT_TARGET
| CAP_LOOKUP
|
178 CAP_MKDIRAT
| CAP_MMAP
| CAP_MMAP_X
| CAP_PDWAIT
| CAP_POSIX_FADVISE
|
179 CAP_POSIX_FALLOCATE
| CAP_PREAD
| CAP_PWRITE
| CAP_READ
| CAP_READDIR
|
180 CAP_READLINKAT
| CAP_RENAMEAT_SOURCE
| CAP_RENAMEAT_TARGET
| CAP_SEEK
|
181 CAP_SEEK_TELL
| CAP_SHUTDOWN
| CAP_SYMLINKAT
| CAP_UNLINKAT
| CAP_WRITE
;
183 #define CAP_ALL(rights) _CAP_ALL(rights)
185 static __inline
void _CAP_NONE(cap_rights_t
*__rights
) {
186 __rights
->__value
= 0;
188 #define CAP_NONE(rights) _CAP_NONE(rights)