NAME
tame
—
restrict system operations
SYNOPSIS
#include
<sys/tame.h>
int
tame
(int
flags);
DESCRIPTION
The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory management, read-write operations on file descriptors, opening of files, networking. In general, these modes were selected by studying the operation of many programs using libc and other such interfaces.
Use of
tame
() in an
application will require at least some study and understanding of the
interfaces called.
Subsequent calls to
tame
() can
reduce abilities further, but abilities can never be regained.
A process which attempts a restricted operation is killed with
SIGKILL
. If TAME_ABORT
is
set, then a non-blockable SIGABRT
is delivered
instead, possibly resulting in a
core(5) file.
A flags value of 0 restricts the process to the _exit(2) system call. This can be used for pure computation operating on memory shared with another process.
All TAME_*
options below (with the
exception of TAME_ABORT
) permit the following system
calls:
Calls allowed with restrictions include:
- access(2)
- May check for existence of /etc/localtime.
- adjtime(2)
- Read-only, for ntpd(8).
- open(2)
- May open /etc/localtime, any files below /usr/share/zoneinfo and files ending in libc.cat below the directory /usr/share/nls/.
- readlink(2)
- May operate on /etc/malloc.conf.
- sysctl(3)
- A small set of read-only operations are allowed, sufficient to support: getdomainname(3), gethostname(3), getifaddrs(3), uname(3), system sensor readings.
- tame(2)
- Can only reduce permissions.
The flags are specified as a bitwise OR of the following values:
TAME_MALLOC
- To allow use of the
malloc(3) family of functions, the following system calls are
permitted:
getentropy(2), madvise(2), minherit(2), mmap(2), mprotect(2), mquery(2), munmap(2).
TAME_RW
- The following system calls are permitted to allow most types of IO
operations on previously allocated file descriptors, including libevent or
handwritten async IO loops:
poll(2), kevent(2), kqueue(2), select(2), close(2), dup(2), dup2(2), dup3(2), closefrom(2), shutdown(2), read(2), readv(2), pread(2), preadv(2), write(2), writev(2), pwrite(2), pwritev(2), ftruncate(2), lseek(2), utimes(2), futimes(2), utimensat(2), futimens(2), fcntl(2), fsync(2), pipe(2), pipe2(2), socketpair(2), getdents(2), sendto(2), sendmsg(2), recvmsg(2), recvfrom(2), fstat(2).
TAME_STDIO
- This subset is simply the combination of
TAME_MALLOC
andTAME_RW
. As a result, all functionalities of libc stdio works. TAME_RPATH
- A number of system calls are allowed if they only cause read-only effects
on the filesystem:
chdir(2), getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2).
TAME_WPATH
- A number of system calls are allowed and may cause write-effects on the
filesystem:
getcwd(3), openat(2), fstatat(2), faccessat(2), readlinkat(2), lstat(2), chmod(2), fchmod(2), fchmodat(2), chflags(2), chflagsat(2), chown(2), fchown(2), fchownat(2), fstat(2), fstat(2).
TAME_CPATH
- A number of system calls and sub-modes are allowed, which may create new
files or directories in the filesystem:
rename(2), rmdir(2), renameat(2), link(2), linkat(2), symlink(2), unlink(2), unlinkat(2), mkdir(2), mkdirat(2).
TAME_TMPPATH
- A number of system calls are allowed to do operations in the
/tmp directory, including create, read, or write:
lstat(2), chmod(2), chflags(2), chown(2), unlink(2), fstat(2).
TAME_INET
- The following system calls are allowed to operate in the
AF_INET
andAF_INET6
domains:socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
setsockopt(2) has been reduced in functionality substantially.
TAME_UNIX
- The following system calls are allowed to operate in the
AF_UNIX
domain:socket(2), listen(2), bind(2), connect(2), accept4(2), accept(2), getpeername(2), getsockname(2), setsockopt(2), getsockopt(2).
TAME_DNS
- Subsequent to a successful open(2) of /etc/resolv.conf, a few system calls become able to allow DNS network transactions:
TAME_GETPW
- This allows read-only opening of files in /etc for
the getpwnam(3),
getgrnam(3),
getgrouplist(3), and
initgroups(3) family of functions. They may also need to
operate in a yp(8) environment, so a successful
open(2) of /var/run/ypbind.lock enables the
TAME_INET
flag. TAME_CMSG
- Allows passing of file descriptors using the sendmsg(2) and recvmsg(2) functions.
TAME_IOCTL
- Allows a subset of
ioctl(2) operations:
FIOCLEX
,FIONCLEX
,FIONREAD
,FIONBIO
,FIOGETOWN
,TIOCGWINSZ
,TIOCSTI
. TAME_PROC
- Allows the following process relationship operations:
fork(2), vfork(2), kill(2), setgroups(2), setresgid(2), setresuid(2),
TAME_ABORT
- Deliver an unblockable
SIGABRT
upon violation instead ofSIGKILL
.
RETURN VALUES
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
ERRORS
tame
() will fail if:
- [
EPERM
] - This process is attempting to increase permissions.
HISTORY
The tame
() system call appeared in
OpenBSD 5.8.