Changeset View
Changeset View
Standalone View
Standalone View
head/share/man/man4/capsicum.4
| Show All 20 Lines | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd July 5, 2016 | .Dd May 18, 2017 | ||||
| .Dt CAPSICUM 4 | .Dt CAPSICUM 4 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm Capsicum | .Nm Capsicum | ||||
| .Nd lightweight OS capability and sandbox framework | .Nd lightweight OS capability and sandbox framework | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| .Cd "options CAPABILITY_MODE" | .Cd "options CAPABILITY_MODE" | ||||
| .Cd "options CAPABILITIES" | .Cd "options CAPABILITIES" | ||||
| ▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | |||||
| File descriptors representing processes, allowing parent processes to manage | File descriptors representing processes, allowing parent processes to manage | ||||
| child processes without requiring access to the PID namespace; described in | child processes without requiring access to the PID namespace; described in | ||||
| greater detail in | greater detail in | ||||
| .Xr procdesc 4 . | .Xr procdesc 4 . | ||||
| .It anonymous shared memory | .It anonymous shared memory | ||||
| An extension to the POSIX shared memory API to support anonymous swap objects | An extension to the POSIX shared memory API to support anonymous swap objects | ||||
| associated with file descriptors; described in greater detail in | associated with file descriptors; described in greater detail in | ||||
| .Xr shm_open 2 . | .Xr shm_open 2 . | ||||
| .El | |||||
| .Pp | |||||
| In some cases, | |||||
| .Nm | |||||
| limits the valid values of some parameters to traditional APIs in order to | |||||
| restrict access to global namespaces: | |||||
| .Bl -tag -width indent | |||||
| .It process IDs | |||||
| Processes can only act upon their own process ID with syscalls such as | |||||
| .Xr cpuset_setaffinity 2 . | |||||
| .El | .El | ||||
| .Sh SEE ALSO | .Sh SEE ALSO | ||||
| .Xr cap_enter 2 , | .Xr cap_enter 2 , | ||||
| .Xr cap_fcntls_limit 2 , | .Xr cap_fcntls_limit 2 , | ||||
| .Xr cap_getmode 2 , | .Xr cap_getmode 2 , | ||||
| .Xr cap_ioctls_limit 2 , | .Xr cap_ioctls_limit 2 , | ||||
| .Xr cap_rights_limit 2 , | .Xr cap_rights_limit 2 , | ||||
| .Xr fchmod 2 , | .Xr fchmod 2 , | ||||
| Show All 29 Lines | |||||