[OpenBSD]

Manual Page Search Parameters

TAME(2) System Calls Manual TAME(2)

NAME

tamerestrict system operations

SYNOPSIS

#include <sys/tame.h>
int
tame(int flags);

DESCRIPTION

The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory management, read-write operations on file descriptors, opening of files, networking. In general, these modes were selected by studying the operation of many programs using libc and other such interfaces.
Use of tame() in an application will require at least some study and understanding of the interfaces called.
Subsequent calls to tame() can reduce abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with SIGKILL. If TAME_ABORT is set, then a non-blockable SIGABRT is delivered instead, possibly resulting in a core(5) file.
A flags value of 0 restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
All TAME_* options below (with the exception of TAME_ABORT) permit the following system calls:
clock_getres(2), clock_gettime(2), fchdir(2), getdtablecount(2), getegid(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), getuid(2), issetugid(2), nanosleep(2), sendsyslog(2), setitimer(2), sigaction(2), sigprocmask(2), sigreturn(2), umask(2), wait4(2).
Calls allowed with restrictions include:
access(2)
May check for existence of /etc/localtime.
adjtime(2)
Read-only, for ntpd(8).
open(2)
May open /etc/localtime, any files below /usr/share/zoneinfo and files ending in libc.cat below the directory /usr/share/nls/.
readlink(2)
May operate on /etc/malloc.conf.
sysctl(3)
A small set of read-only operations are allowed, sufficient to support: getdomainname(3), gethostname(3), getifaddrs(3), uname(3), system sensor readings.
tame(2)
Can only reduce permissions.
The flags are specified as a bitwise OR of the following values:
 
 
TAME_MALLOC
To allow use of the malloc(3) family of functions, the following system calls are permitted:
getentropy(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2).
 
 
TAME_RW
The following system calls are permitted to allow most types of IO operations on previously allocated file descriptors, including libevent or handwritten async IO loops:
poll(2), kevent(2), kqueue(2), select(2), close(2), dup(2), dup2(2), dup3(2), closefrom(2), shutdown(2), read(2), readv(2), pread(2), preadv(2), write(2), writev(2), pwrite(2), pwritev(2), ftruncate(2), lseek(2), utimes(2), futimes(2), utimensat(2), futimens(2), fcntl(2), fsync(2), pipe(2), pipe2(2), socketpair(2), getdents(2), sendto(2), sendmsg(2), recvmsg(2), recvfrom(2), fstat(2).
 
 
TAME_STDIO
This subset is simply the combination of TAME_MALLOC and TAME_RW. As a result, all functionalities of libc stdio works.
 
 
TAME_RPATH
A number of system calls are allowed if they only cause read-only effects on the filesystem:
chdir(2), getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2).
 
 
TAME_WPATH
A number of system calls are allowed and may cause write-effects on the filesystem:
getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2), fstat(2).
 
 
TAME_CPATH
A number of system calls and sub-modes are allowed, which may create new files or directories in the filesystem:
rename(2), rmdir(2), renameat(2), link(2), linkat(2), symlink(2), unlink(2), unlinkat(2), mkdir(2), mkdirat(2).
 
 
TAME_TMPPATH
A number of system calls are allowed to do operations in the /tmp directory, including create, read, or write:
lstat(2), chmod(2), chflags(2), chown(2), unlink(2), fstat(2).
 
 
TAME_INET
The following system calls are allowed to operate in the AF_INET and AF_INET6 domains:
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
setsockopt(2) has been reduced in functionality substantially.
 
 
TAME_UNIX
The following system calls are allowed to operate in the AF_UNIX domain:
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
 
 
TAME_DNS
Subsequent to a successful open(2) of /etc/resolv.conf, a few system calls become able to allow DNS network transactions:
sendto(2), recvfrom(2), socket(2), connect(2).
 
 
TAME_GETPW
This allows read-only opening of files in /etc for the getpwnam(3), getgrnam(3), getgrouplist(3), and initgroups(3) family of functions. They may also need to operate in a yp(8) environment, so a successful open(2) of /var/run/ypbind.lock enables the TAME_INET flag.
 
 
TAME_CMSG
Allows passing of file descriptors using the sendmsg(2) and recvmsg(2) functions.
 
 
TAME_IOCTL
Allows a subset of ioctl(2) operations:
FIOCLEX, FIONCLEX, FIONREAD, FIONBIO, FIOGETOWN, TIOCGWINSZ, TIOCSTI.
 
 
TAME_PROC
Allows the following process relationship operations:
fork(2), vfork(2), kill(2), setgroups(2), setresgid(2), setresuid(2),
 
 
TAME_ABORT
Deliver an unblockable SIGABRT upon violation instead of SIGKILL.

RETURN VALUES

Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.

ERRORS

tame() will fail if:
 
 
[EPERM]
This process is attempting to increase permissions.

HISTORY

The tame() system call appeared in OpenBSD 5.8.
July 28, 2015 OpenBSD-5.8