Capability mode system calls
Standard C Library (libc, -lc)
cap_enter() places the current process into capability
mode, a mode of execution in which processes may only issue system calls
operating on file descriptors or reading limited global system state. Access
to global name spaces, such as file system or IPC name spaces, is prevented.
If the process is already in a capability mode sandbox, the system call is a
no-op. Future process descendants created with
will be placed in capability mode from inception.
When combined with
cap_enter() may be used to create kernel-enforced
sandboxes in which appropriately-crafted applications or application
components may be run.
cap_getmode() returns a flag indicating
whether or not the process is in a capability mode sandbox.
kern.trap_enotcap sysctl MIB is set to a non-zero
value, then for any process executing in a capability mode sandbox, any
syscall which results in either an
ECAPMODE error also generates the synchronous
SIGTRAP signal to the thread on the syscall return. On
signal delivery, the si_errno member of the
siginfo signal handler parameter is set to the syscall
error value, and the si_code member is set to
See also the
PROC_TRAPCAP_STATUS operations of the
function for similar per-process functionality.
cap_getmode() functions return the value 0 if
successful; otherwise the value -1 is returned and the global variable
errno is set to indicate the error.
When the process is in capability mode,
cap_getmode() sets the flag to a non-zero value. A
zero value means the process is not in capability mode.
cap_getmode() system calls will fail if:
- The kernel is compiled without:
cap_getmode() system call may also
return the following error:
- Pointer modep points outside the process's allocated
cap_getmode() system call first appeared in
FreeBSD 8.3. Support for capabilities and capabilities
mode was developed as part of the TrustedBSD Project.
These functions and the capability facility were created by
Robert N. M. Watson at the University of Cambridge
Computer Laboratory with support from a grant from Google, Inc.
Creating effective process sandboxes is a tricky process that involves
identifying the least possible rights required by the process and then passing
those rights into the process in a safe manner. Consumers of
cap_enter() should also be aware of other inherited
rights, such as access to VM resources, memory contents, and other process
properties that should be considered. It is advisable to use
to create a runtime environment inside the sandbox that has as few implicitly
acquired rights as possible.