Manual Page Search Parameters
cap_sysctl, cap_sysctlbyname(3) library for getting or setting system information in capability mode
cap_sysctlbyname, cap_sysctl(3) library for getting or setting system information in capability mode
libcap_sysctl, cap_sysctl, cap_sysctlbyname(3) library for getting or setting system information in capability mode
CAP_SYSCTL(3) MidnightBSD Library Functions Manual CAP_SYSCTL(3)

cap_sysctlbynamelibrary for getting or setting system information in capability mode

library “libcap_sysctl”

#include <sys/nv.h>
#include <libcasper.h>
#include <casper/cap_sysctl.h>

int
cap_sysctlbyname(cap_channel_t *chan, const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen);

The function () is equivalent to sysctlbyname(3) except that the connection to the system.sysctl service needs to be provided.

The service can be limited using cap_limit_set(3) function. The nvlist(9) for that function can contain the following values and types:

(
NV_TYPE_NUMBER)
The name of the element with type number will be treated as the limited sysctl. The value of the element will describe the access rights for given sysctl. There are four different rights CAP_SYSCTL_READ, CAP_SYSCTL_WRITE, CAP_SYSCTL_RDWR, and CAP_SYSCTL_RECURSIVE. The CAP_SYSCTL_READ flag allows to fetch the value of a given sysctl. The CAP_SYSCTL_WIRTE flag allows to override the value of a given sysctl. The CAP_SYSCTL_RDWR is combination of the CAP_SYSCTL_WIRTE and CAP_SYSCTL_READ and allows to read and write the value of a given sysctl. The CAP_SYSCTL_RECURSIVE allows access to all children of a given sysctl. This right must be combined with at least one other right.

The following example first opens a capability to casper and then uses this capability to create the system.sysctl casper service and uses it to get the value of kern.trap_enotcap.

cap_channel_t *capcas, *capsysctl;
const char *name = "kern.trap_enotcap";
nvlist_t *limits;
int value;
size_t size;

/* Open capability to Casper. */
capcas = cap_init();
if (capcas == NULL)
	err(1, "Unable to contact Casper");

/* Enter capability mode sandbox. */
if (cap_enter() < 0 && errno != ENOSYS)
	err(1, "Unable to enter capability mode");

/* Use Casper capability to create capability to the system.sysctl service. */
capsysctl = cap_service_open(capcas, "system.sysctl");
if (capsysctl == NULL)
	err(1, "Unable to open system.sysctl service");

/* Close Casper capability, we don't need it anymore. */
cap_close(capcas);

/* Create limit for one MIB with read access only. */
limits = nvlist_create(0);
nvlist_add_number(limits, name, CAP_SYSCTL_READ);

/* Limit system.sysctl. */
if (cap_limit_set(capsysctl, limits) < 0)
	err(1, "Unable to set limits");

/* Fetch value. */
if (cap_sysctlbyname(capsysctl, name, &value, &size, NULL, 0) < 0)
	err(1, "Unable to get value of sysctl");

printf("The value of %s is %d.\n", name, value);

cap_close(capsysctl);

cap_enter(2), err(3), sysctlbyname(3), capsicum(4), nv(9)

The cap_sysctl service first appeared in FreeBSD 10.3.

The cap_sysctl service was implemented by Pawel Jakub Dawidek <pawel@dawidek.net> under sponsorship from the FreeBSD Foundation.

This manual page was written by
Mariusz Zaborski <oshogbo@FreeBSD.org>.

May 5, 2020 midnightbsd-3.1