[OpenBSD]

Manual Page Search Parameters
TAME(2) System Calls Manual TAME(2)

tame
restrict system operations

#include <sys/tame.h>
int
tame(int flags);

The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory management, read-write operations on file descriptors, opening of files, networking. In general, these modes were selected by studying the operation of many programs using libc and other such interfaces.
Use of tame() in an application will require at least some study and understanding of the interfaces called.
Subsequent calls to tame() can reduce abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with SIGKILL. If TAME_ABORT is set, then a non-blockable SIGABRT is delivered instead, possibly resulting in a core(5) file.
A flags value of 0 restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
All TAME_* options below (with the exception of TAME_ABORT) permit the following system calls:
clock_getres(2), clock_gettime(2), fchdir(2), getdtablecount(2), getegid(2), geteuid(2), getgid(2), getgroups(2), getitimer(2), getlogin(2), getpgid(2), getpgrp(2), getpid(2), getppid(2), getresgid(2), getresuid(2), getrlimit(2), getsid(2), getthrid(2), gettimeofday(2), getuid(2), getuid(2), issetugid(2), nanosleep(2), sendsyslog(2), setitimer(2), sigaction(2), sigprocmask(2), sigreturn(2), umask(2), wait4(2).
Calls allowed with restrictions include:
access(2)
May check for existence of /etc/localtime.
adjtime(2)
Read-only, for ntpd(8).
open(2)
May open /etc/localtime, any files below /usr/share/zoneinfo and files ending in libc.cat below the directory /usr/share/nls/.
readlink(2)
May operate on /etc/malloc.conf.
sysctl(3)
A small set of read-only operations are allowed, sufficient to support: getdomainname(3), gethostname(3), getifaddrs(3), uname(3), system sensor readings.
tame(2)
Can only reduce permissions.
The flags are specified as a bitwise OR of the following values:
 
 
To allow use of the malloc(3) family of functions, the following system calls are permitted:
getentropy(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2).
 
 
The following system calls are permitted to allow most types of IO operations on previously allocated file descriptors, including libevent or handwritten async IO loops:
poll(2), kevent(2), kqueue(2), select(2), close(2), dup(2), dup2(2), dup3(2), closefrom(2), shutdown(2), read(2), readv(2), pread(2), preadv(2), write(2), writev(2), pwrite(2), pwritev(2), ftruncate(2), lseek(2), utimes(2), futimes(2), utimensat(2), futimens(2), fcntl(2), fsync(2), pipe(2), pipe2(2), socketpair(2), getdents(2), sendto(2), sendmsg(2), recvmsg(2), recvfrom(2), fstat(2).
 
 
This subset is simply the combination of TAME_MALLOC and TAME_RW. As a result, all functionalities of libc stdio works.
 
 
A number of system calls are allowed if they only cause read-only effects on the filesystem:
chdir(2), getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2).
 
 
A number of system calls are allowed and may cause write-effects on the filesystem:
getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2), fstat(2).
 
 
A number of system calls and sub-modes are allowed, which may create new files or directories in the filesystem:
rename(2), rmdir(2), renameat(2), link(2), linkat(2), symlink(2), unlink(2), unlinkat(2), mkdir(2), mkdirat(2).
 
 
A number of system calls are allowed to do operations in the /tmp directory, including create, read, or write:
lstat(2), chmod(2), chflags(2), chown(2), unlink(2), fstat(2).
 
 
The following system calls are allowed to operate in the AF_INET and AF_INET6 domains:
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
setsockopt(2) has been reduced in functionality substantially.
 
 
The following system calls are allowed to operate in the AF_UNIX domain:
socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
 
 
Subsequent to a successful open(2) of /etc/resolv.conf, a few system calls become able to allow DNS network transactions:
sendto(2), recvfrom(2), socket(2), connect(2).
 
 
This allows read-only opening of files in /etc for the getpwnam(3), getgrnam(3), getgrouplist(3), and initgroups(3) family of functions. They may also need to operate in a yp(8) environment, so a successful open(2) of /var/run/ypbind.lock enables the TAME_INET flag.
 
 
Allows passing of file descriptors using the sendmsg(2) and recvmsg(2) functions.
 
 
Allows a subset of ioctl(2) operations:
FIOCLEX, FIONCLEX, FIONREAD, FIONBIO, FIOGETOWN, TIOCGWINSZ, TIOCSTI.
 
 
Allows the following process relationship operations:
fork(2), vfork(2), kill(2), setgroups(2), setresgid(2), setresuid(2),
 
 
Deliver an unblockable SIGABRT upon violation instead of SIGKILL.

Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.

tame() will fail if:
 
 
[]
This process is attempting to increase permissions.

The tame() system call appeared in OpenBSD 5.8.
July 28, 2015 OpenBSD-5.8