Up  Next

Module Types.SystemOperation

module SystemOperation: sig .. end

System operation abstraction: OpenBSD: pledge(2) Linux: seccomp(2)

type t =
| StdinStdoutStderrAndBasicFunctionality (*

Basic Functionality, allows these system calls:

  • OpenBSD: sendto(2) is only permitted if its destination socket address is NULL. As a result, all the expected functionalities of libc stdio work. clock_getres(2), clock_gettime(2), close(2), closefrom(2), dup(2), dup2(2), dup3(2), fchdir(2), fcntl(2), fstat(2), fsync(2), ftruncate(2), getdtablecount(2), getegid(2), getentropy(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getrtable(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), issetugid(2), kevent(2), kqueue(2), kqueue1(2), lseek(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2), nanosleep(2), pipe(2), pipe2(2), poll(2), pread(2), preadv(2), profil(2), pwrite(2), pwritev(2), read(2), readv(2), recvfrom(2), recvmsg(2), select(2), sendmsg(2), sendsyslog(2), sendto(2), setitimer(2), shutdown(2), sigaction(2), sigprocmask(2), sigreturn(2), socketpair(2), umask(2), wait4(2), waitid(2), write(2), writev(2)
*)
| ReadFromFilesystem (*

read from filesystem allows system calls:

  • OpenBSD: which allow path traversal, reading struct stat, and opening files for read.
*)
| WriteToFilesystem (*

write to filesystem, allows system calls:

  • OpenBSD: similar to ReadFromFilesystem, but files can be opened for write
*)
| CreateAndRemoveOnFilesystem (*

create and remove on to filesystem, allows system calls:

  • OpenBSD: similar to WriteToFilesystem, but files can be opened for write
*)
| SpecialCreateAndRemoveOnFilesystem (*

special create and remove on to filesystem, allows system calls:

  • OpenBSD: similar to CreateAndRemoveOnFilesystem, but special files can be created using: mkfifo(2), mknod(2)
*)
| TmpPath (*

tmp path allows:

  • OpenBSD: a number of system calls to do operations in the /tmp directory, including create, read, or write. Automatically unveils certain paths too, e.g. /tmp.
  • Linux: automatically allows Read, Write, Execute and CreateAndRemove in /tmp.
*)
| Networking (*

networking allows the following system calls to operate in the AF_INET and AF_INET6 domain:

  • OpenBSD: socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2)
*)
| NetworkingMulticast (*

networking multicast in combination with Networking:

  • OpenBSD: give back functionality to setsockopt(2) for operating on multicast sockets
*)
| FileAttributeModifiaction (*

file attribute modification allows the following system calls to make explicit changes to fields in struct stat relating to a file:

  • OpenBSD: utimes(2), futimes(2), utimensat(2), futimens(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchownat(2), lchown(2), fchown(2), utimes(2)
*)
| ChangeFileOwnership (*

change file ownership allows:

  • OpenBSD: to change the user of group on a file, chown (2)
*)
| FileLocking (*

file locking allowed via:

  • OpenBSD: fcntl(2), flock(2), lockf(3), and open(2). No distinction is made between shared and exclusive locks. This is required for unlock as well as lock.
*)
| Unix (*

unix allows the following system calls to operate in the AF_UNIX domain:

  • OpenBSD: socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2)
*)
| DNS (*

dns allows:

  • OpenBSD: Some low-level behaviours required by the DNS resolver res_init(3) are permitted, such as opening resolv.conf(5) and a few networking system calls: socket(2), connect(2), sendto(2), recvfrom(2). To distinguish the dns promise from inet, the libc DNS code opens sockets with the SOCK_DNS flag which OpenBSD requires to communicate with AF_INET and AF_INET6 at port 53.
*)
| GetPassword (*

get password allows:

  • OpenBSD: This allows read-only opening of files in /etc for the getpwnam(3), getgrnam(3), getgrouplist(3), and initgroups(3) family of functions, including lookups via the yp(8) protocol for YP and LDAP databases.
*)
| SendFileDescriptors (*

send file descriptors allows:

  • OpenBSD: sending of file descriptors using sendmsg(2). File descriptors referring to directories may not be passed.
*)
| ReceivingFileDescriptors (*

receiving file descriptors allows:

  • OpenBSD: receiving of file descriptors using recvmsg(2). File descriptors referring to directories may not be passed.
*)
| TapeDrives (*

tape drives allows:

  • OpenBSD: MTIOCGET and MTIOCTOP operations against tape drives.
*)
| TTY (*

teletypewriter allows:

  • OpenBSD: in addition to read-write operations on /dev/tty, this opens up a variety of ioctl(2) requests used by tty devices. If TTY is accompanied with ReadFromFilesystem, revoke(2) is permitted. Otherwise only the following ioctl(2) requests are permitted: TIOCSPGRP, TIOCGETA, TIOCGPGRP, TIOCGWINSZ, TIOCSWINSZ, TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, TIOCSETAF, TIOCUCNTL
*)
| ProcessRelation (*

process relation allows the following process relationship operations:

  • OpenBSD: fork(2), vfork(2), kill(2), getpriority(2), setpriority(2), setrlimit(2), setpgid(2), setsid(2)
*)
| Execute (*

execute allows a process to call:

  • OpenBSD: execve(2). Coupled with the ProcessRelation promise, this allows a process to fork and execute another program.
*)
| ProtectionExecute (*

protection execute allows the use of:

  • OpenBSD: PROT_EXEC with mmap(2) and mprotect(2).
*)
| SetTime (*

settime allows the setting of the system time, via the:

  • OpenBSD: settimeofday(2), adjtime(2), and adjfreq(2) system calls.
*)
| Processes (*

processes allows enough:

  • OpenBSD: sysctl(2) interfaces to allow inspection of processes operating on the system using programs like ps(1).
*)
| VirtualMemoryInfo (*

virtual memory info allows enough:

  • OpenBSD: sysctl(2) interfaces to allow inspection of the system's virtual memory by programs like top(1) and vmstat(8).
*)
| ChangeRightsOfAProcess (*

change rights of a process allows the following system calls which can change the rights of a process:

  • OpenBSD: setuid(2), seteuid(2), setreuid(2), setresuid(2), setgid(2), setegid(2), setregid(2), setresgid(2), setgroups(2), setlogin(2), setrlimit(2), getpriority(2), setpriority(2), setrtable(2)
*)
| PacketFiltering (*

packet filtering allows:

  • OpenBSD: a subset of ioctl(2) operations on the pf(4) device: DIOCADDRULE, DIOCGETSTATUS, DIOCNATLOOK, DIOCRADDTABLES, DIOCRCLRADDRS, DIOCRCLRTABLES, DIOCRCLRTSTATS, DIOCRGETTSTATS, DIOCRSETADDRS, DIOCXBEGIN, DIOCXCOMMIT
*)
| InspectionRoutingTable (*

inspection of routing table allows inspection of the routing table:

  • OpenBSD: .
*)
| ChangeRoutingTable (*

change routing table allows changes to the routing table:

  • OpenBSD: .
*)
| Audio (*

audio allows:

  • OpenBSD: a subset of ioctl(2) operations on audio(4) devices (see sio_open(3) for more information): AUDIO_GETPOS, AUDIO_GETPAR, AUDIO_SETPAR, AUDIO_START, AUDIO_STOP, AUDIO_MIXER_DEVINFO, AUDIO_MIXER_READ, AUDIO_MIXER_WRITE
*)
| Video (*

video allows:

  • OpenBSD: a subset of ioctl(2) operations on video(4) devices: VIDIOC_DQBUF, VIDIOC_ENUM_FMT, VIDIOC_ENUM_FRAMEINTERVALS, VIDIOC_ENUM_FRAMESIZES, VIDIOC_G_CTRL, VIDIOC_G_PARM, VIDIOC_QBUF, VIDIOC_QUERYBUF, VIDIOC_QUERYCAP, VIDIOC_QUERYCTRL, VIDIOC_S_CTRL, VIDIOC_S_FMT, VIDIOC_S_PARM, VIDIOC_STREAMOFF, VIDIOC_STREAMON, VIDIOC_TRY_FMT, VIDIOC_REQBUFS
*)
| BerkeleyPacketFiltering (*

berkeley packet filtering allows BIOCGSTATS operation for statistics collection from a bpf(4) device.

  • OpenBSD: .
*)
| Error (*

error rather:

  • OpenBSD: indicates error with ENOSYS than killing the process upon violation.
*)