1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2008-2011 Robert N. M. Watson
5 * Copyright (c) 2010-2011 Jonathan Anderson
6 * Copyright (c) 2012 FreeBSD Foundation
7 * All rights reserved.
8 *
9 * This software was developed at the University of Cambridge Computer
10 * Laboratory with support from a grant from Google, Inc.
11 *
12 * Portions of this software were developed by Pawel Jakub Dawidek under
13 * sponsorship from the FreeBSD Foundation.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37 /*
38 * FreeBSD kernel capability facility.
39 *
40 * Two kernel features are implemented here: capability mode, a sandboxed mode
41 * of execution for processes, and capabilities, a refinement on file
42 * descriptors that allows fine-grained control over operations on the file
43 * descriptor. Collectively, these allow processes to run in the style of a
44 * historic "capability system" in which they can use only resources
45 * explicitly delegated to them. This model is enforced by restricting access
46 * to global namespaces in capability mode.
47 *
48 * Capabilities wrap other file descriptor types, binding them to a constant
49 * rights mask set when the capability is created. New capabilities may be
50 * derived from existing capabilities, but only if they have the same or a
51 * strict subset of the rights on the original capability.
52 *
53 * System calls permitted in capability mode are defined by CAPENABLED
54 * flags in syscalls.master; calls must be carefully audited for safety
55 * to ensure that they don't allow escape from a sandbox. Some calls
56 * permit only a subset of operations in capability mode -- for example,
57 * shm_open(2) is limited to creating anonymous, rather than named,
58 * POSIX shared memory objects.
59 */
60
61 #include <sys/cdefs.h>
62 #include "opt_capsicum.h"
63 #include "opt_ktrace.h"
64
65 #include <sys/param.h>
66 #include <sys/capsicum.h>
67 #include <sys/file.h>
68 #include <sys/filedesc.h>
69 #include <sys/kernel.h>
70 #include <sys/limits.h>
71 #include <sys/lock.h>
72 #include <sys/mutex.h>
73 #include <sys/proc.h>
74 #include <sys/syscallsubr.h>
75 #include <sys/sysproto.h>
76 #include <sys/sysctl.h>
77 #include <sys/systm.h>
78 #include <sys/ucred.h>
79 #include <sys/uio.h>
80 #include <sys/ktrace.h>
81
82 #include <security/audit/audit.h>
83
84 #include <vm/uma.h>
85 #include <vm/vm.h>
86
87 bool __read_frequently trap_enotcap;
88 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
89 "Deliver SIGTRAP on ECAPMODE and ENOTCAPABLE");
90
91 #ifdef CAPABILITY_MODE
92
93 #define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */
94
95 FEATURE(security_capability_mode, "Capsicum Capability Mode");
96
97 /*
98 * System call to enter capability mode for the process.
99 */
100 int
sys_cap_enter(struct thread * td,struct cap_enter_args * uap)101 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
102 {
103 struct ucred *newcred, *oldcred;
104 struct proc *p;
105
106 if (IN_CAPABILITY_MODE(td))
107 return (0);
108
109 newcred = crget();
110 p = td->td_proc;
111 PROC_LOCK(p);
112 oldcred = crcopysafe(p, newcred);
113 newcred->cr_flags |= CRED_FLAG_CAPMODE;
114 proc_set_cred(p, newcred);
115 PROC_UNLOCK(p);
116 crfree(oldcred);
117 return (0);
118 }
119
120 /*
121 * System call to query whether the process is in capability mode.
122 */
123 int
sys_cap_getmode(struct thread * td,struct cap_getmode_args * uap)124 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
125 {
126 u_int i;
127
128 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
129 return (copyout(&i, uap->modep, sizeof(i)));
130 }
131
132 #else /* !CAPABILITY_MODE */
133
134 int
sys_cap_enter(struct thread * td,struct cap_enter_args * uap)135 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
136 {
137
138 return (ENOSYS);
139 }
140
141 int
sys_cap_getmode(struct thread * td,struct cap_getmode_args * uap)142 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
143 {
144
145 return (ENOSYS);
146 }
147
148 #endif /* CAPABILITY_MODE */
149
150 #ifdef CAPABILITIES
151
152 FEATURE(security_capabilities, "Capsicum Capabilities");
153
154 MALLOC_DECLARE(M_FILECAPS);
155
156 static inline int
_cap_check(const cap_rights_t * havep,const cap_rights_t * needp,enum ktr_cap_violation type)157 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
158 enum ktr_cap_violation type)
159 {
160 const cap_rights_t rights[] = { *needp, *havep };
161
162 if (!cap_rights_contains(havep, needp)) {
163 if (CAP_TRACING(curthread))
164 ktrcapfail(type, rights);
165 return (ENOTCAPABLE);
166 }
167 return (0);
168 }
169
170 /*
171 * Test whether a capability grants the requested rights.
172 */
173 int
cap_check(const cap_rights_t * havep,const cap_rights_t * needp)174 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
175 {
176
177 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
178 }
179
180 int
cap_check_failed_notcapable(const cap_rights_t * havep,const cap_rights_t * needp)181 cap_check_failed_notcapable(const cap_rights_t *havep, const cap_rights_t *needp)
182 {
183 const cap_rights_t rights[] = { *needp, *havep };
184
185 if (CAP_TRACING(curthread))
186 ktrcapfail(CAPFAIL_NOTCAPABLE, rights);
187 return (ENOTCAPABLE);
188 }
189
190 /*
191 * Convert capability rights into VM access flags.
192 */
193 vm_prot_t
cap_rights_to_vmprot(const cap_rights_t * havep)194 cap_rights_to_vmprot(const cap_rights_t *havep)
195 {
196 vm_prot_t maxprot;
197
198 maxprot = VM_PROT_NONE;
199 if (cap_rights_is_set(havep, CAP_MMAP_R))
200 maxprot |= VM_PROT_READ;
201 if (cap_rights_is_set(havep, CAP_MMAP_W))
202 maxprot |= VM_PROT_WRITE;
203 if (cap_rights_is_set(havep, CAP_MMAP_X))
204 maxprot |= VM_PROT_EXECUTE;
205
206 return (maxprot);
207 }
208
209 /*
210 * Extract rights from a capability for monitoring purposes -- not for use in
211 * any other way, as we want to keep all capability permission evaluation in
212 * this one file.
213 */
214
215 const cap_rights_t *
cap_rights_fde(const struct filedescent * fdep)216 cap_rights_fde(const struct filedescent *fdep)
217 {
218
219 return (cap_rights_fde_inline(fdep));
220 }
221
222 const cap_rights_t *
cap_rights(struct filedesc * fdp,int fd)223 cap_rights(struct filedesc *fdp, int fd)
224 {
225
226 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
227 }
228
229 int
kern_cap_rights_limit(struct thread * td,int fd,cap_rights_t * rights)230 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
231 {
232 struct filedesc *fdp;
233 struct filedescent *fdep;
234 u_long *ioctls;
235 int error;
236
237 fdp = td->td_proc->p_fd;
238 FILEDESC_XLOCK(fdp);
239 fdep = fdeget_noref(fdp, fd);
240 if (fdep == NULL) {
241 FILEDESC_XUNLOCK(fdp);
242 return (EBADF);
243 }
244 ioctls = NULL;
245 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
246 if (error == 0) {
247 seqc_write_begin(&fdep->fde_seqc);
248 fdep->fde_rights = *rights;
249 if (!cap_rights_is_set(rights, CAP_IOCTL)) {
250 ioctls = fdep->fde_ioctls;
251 fdep->fde_ioctls = NULL;
252 fdep->fde_nioctls = 0;
253 }
254 if (!cap_rights_is_set(rights, CAP_FCNTL))
255 fdep->fde_fcntls = 0;
256 seqc_write_end(&fdep->fde_seqc);
257 }
258 FILEDESC_XUNLOCK(fdp);
259 free(ioctls, M_FILECAPS);
260 return (error);
261 }
262
263 /*
264 * System call to limit rights of the given capability.
265 */
266 int
sys_cap_rights_limit(struct thread * td,struct cap_rights_limit_args * uap)267 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
268 {
269 cap_rights_t rights;
270 int error, version;
271
272 cap_rights_init_zero(&rights);
273
274 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
275 if (error != 0)
276 return (error);
277 version = CAPVER(&rights);
278 if (version != CAP_RIGHTS_VERSION_00)
279 return (EINVAL);
280
281 error = copyin(uap->rightsp, &rights,
282 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
283 if (error != 0)
284 return (error);
285 /* Check for race. */
286 if (CAPVER(&rights) != version)
287 return (EINVAL);
288
289 if (!cap_rights_is_valid(&rights))
290 return (EINVAL);
291
292 if (version != CAP_RIGHTS_VERSION) {
293 rights.cr_rights[0] &= ~(0x3ULL << 62);
294 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
295 }
296 #ifdef KTRACE
297 if (KTRPOINT(td, KTR_STRUCT))
298 ktrcaprights(&rights);
299 #endif
300
301 AUDIT_ARG_FD(uap->fd);
302 AUDIT_ARG_RIGHTS(&rights);
303 return (kern_cap_rights_limit(td, uap->fd, &rights));
304 }
305
306 /*
307 * System call to query the rights mask associated with a capability.
308 */
309 int
sys___cap_rights_get(struct thread * td,struct __cap_rights_get_args * uap)310 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
311 {
312 struct filedesc *fdp;
313 cap_rights_t rights;
314 int error, fd, i, n;
315
316 if (uap->version != CAP_RIGHTS_VERSION_00)
317 return (EINVAL);
318
319 fd = uap->fd;
320
321 AUDIT_ARG_FD(fd);
322
323 fdp = td->td_proc->p_fd;
324 FILEDESC_SLOCK(fdp);
325 if (fget_noref(fdp, fd) == NULL) {
326 FILEDESC_SUNLOCK(fdp);
327 return (EBADF);
328 }
329 rights = *cap_rights(fdp, fd);
330 FILEDESC_SUNLOCK(fdp);
331 n = uap->version + 2;
332 if (uap->version != CAPVER(&rights)) {
333 /*
334 * For older versions we need to check if the descriptor
335 * doesn't contain rights not understood by the caller.
336 * If it does, we have to return an error.
337 */
338 for (i = n; i < CAPARSIZE(&rights); i++) {
339 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
340 return (EINVAL);
341 }
342 }
343 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
344 #ifdef KTRACE
345 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
346 ktrcaprights(&rights);
347 #endif
348 return (error);
349 }
350
351 /*
352 * Test whether a capability grants the given ioctl command.
353 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
354 * ENOTCAPABLE will be returned.
355 */
356 int
cap_ioctl_check(struct filedesc * fdp,int fd,u_long cmd)357 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
358 {
359 struct filedescent *fdep;
360 u_long *cmds;
361 ssize_t ncmds;
362 long i;
363
364 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
365 ("%s: invalid fd=%d", __func__, fd));
366
367 fdep = fdeget_noref(fdp, fd);
368 KASSERT(fdep != NULL,
369 ("%s: invalid fd=%d", __func__, fd));
370
371 ncmds = fdep->fde_nioctls;
372 if (ncmds == -1)
373 return (0);
374
375 cmds = fdep->fde_ioctls;
376 for (i = 0; i < ncmds; i++) {
377 if (cmds[i] == cmd)
378 return (0);
379 }
380
381 return (ENOTCAPABLE);
382 }
383
384 /*
385 * Check if the current ioctls list can be replaced by the new one.
386 */
387 static int
cap_ioctl_limit_check(struct filedescent * fdep,const u_long * cmds,size_t ncmds)388 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
389 size_t ncmds)
390 {
391 u_long *ocmds;
392 ssize_t oncmds;
393 u_long i;
394 long j;
395
396 oncmds = fdep->fde_nioctls;
397 if (oncmds == -1)
398 return (0);
399 if (oncmds < (ssize_t)ncmds)
400 return (ENOTCAPABLE);
401
402 ocmds = fdep->fde_ioctls;
403 for (i = 0; i < ncmds; i++) {
404 for (j = 0; j < oncmds; j++) {
405 if (cmds[i] == ocmds[j])
406 break;
407 }
408 if (j == oncmds)
409 return (ENOTCAPABLE);
410 }
411
412 return (0);
413 }
414
415 int
kern_cap_ioctls_limit(struct thread * td,int fd,u_long * cmds,size_t ncmds)416 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
417 {
418 struct filedesc *fdp;
419 struct filedescent *fdep;
420 u_long *ocmds;
421 int error;
422
423 AUDIT_ARG_FD(fd);
424
425 if (ncmds > IOCTLS_MAX_COUNT) {
426 error = EINVAL;
427 goto out_free;
428 }
429
430 fdp = td->td_proc->p_fd;
431 FILEDESC_XLOCK(fdp);
432
433 fdep = fdeget_noref(fdp, fd);
434 if (fdep == NULL) {
435 error = EBADF;
436 goto out;
437 }
438
439 error = cap_ioctl_limit_check(fdep, cmds, ncmds);
440 if (error != 0)
441 goto out;
442
443 ocmds = fdep->fde_ioctls;
444 seqc_write_begin(&fdep->fde_seqc);
445 fdep->fde_ioctls = cmds;
446 fdep->fde_nioctls = ncmds;
447 seqc_write_end(&fdep->fde_seqc);
448
449 cmds = ocmds;
450 error = 0;
451 out:
452 FILEDESC_XUNLOCK(fdp);
453 out_free:
454 free(cmds, M_FILECAPS);
455 return (error);
456 }
457
458 int
sys_cap_ioctls_limit(struct thread * td,struct cap_ioctls_limit_args * uap)459 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
460 {
461 u_long *cmds;
462 size_t ncmds;
463 int error;
464
465 ncmds = uap->ncmds;
466
467 if (ncmds > IOCTLS_MAX_COUNT)
468 return (EINVAL);
469
470 if (ncmds == 0) {
471 cmds = NULL;
472 } else {
473 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
474 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
475 if (error != 0) {
476 free(cmds, M_FILECAPS);
477 return (error);
478 }
479 }
480
481 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
482 }
483
484 int
sys_cap_ioctls_get(struct thread * td,struct cap_ioctls_get_args * uap)485 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
486 {
487 struct filedesc *fdp;
488 struct filedescent *fdep;
489 u_long *cmdsp, *dstcmds;
490 size_t maxcmds, ncmds;
491 int16_t count;
492 int error, fd;
493
494 fd = uap->fd;
495 dstcmds = uap->cmds;
496 maxcmds = uap->maxcmds;
497
498 AUDIT_ARG_FD(fd);
499
500 fdp = td->td_proc->p_fd;
501
502 cmdsp = NULL;
503 if (dstcmds != NULL) {
504 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
505 M_WAITOK | M_ZERO);
506 }
507
508 FILEDESC_SLOCK(fdp);
509 fdep = fdeget_noref(fdp, fd);
510 if (fdep == NULL) {
511 error = EBADF;
512 FILEDESC_SUNLOCK(fdp);
513 goto out;
514 }
515 count = fdep->fde_nioctls;
516 if (count != -1 && cmdsp != NULL) {
517 ncmds = MIN(count, maxcmds);
518 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
519 }
520 FILEDESC_SUNLOCK(fdp);
521
522 /*
523 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
524 * the only sane thing we can do is to not populate the given array and
525 * return CAP_IOCTLS_ALL.
526 */
527 if (count != -1) {
528 if (cmdsp != NULL) {
529 error = copyout(cmdsp, dstcmds,
530 sizeof(cmdsp[0]) * ncmds);
531 if (error != 0)
532 goto out;
533 }
534 td->td_retval[0] = count;
535 } else {
536 td->td_retval[0] = CAP_IOCTLS_ALL;
537 }
538
539 error = 0;
540 out:
541 free(cmdsp, M_FILECAPS);
542 return (error);
543 }
544
545 /*
546 * Test whether a capability grants the given fcntl command.
547 */
548 int
cap_fcntl_check_fde(struct filedescent * fdep,int cmd)549 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
550 {
551 uint32_t fcntlcap;
552
553 fcntlcap = (1 << cmd);
554 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
555 ("Unsupported fcntl=%d.", cmd));
556
557 if ((fdep->fde_fcntls & fcntlcap) != 0)
558 return (0);
559
560 return (ENOTCAPABLE);
561 }
562
563 int
cap_fcntl_check(struct filedesc * fdp,int fd,int cmd)564 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
565 {
566
567 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
568 ("%s: invalid fd=%d", __func__, fd));
569
570 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
571 }
572
573 int
sys_cap_fcntls_limit(struct thread * td,struct cap_fcntls_limit_args * uap)574 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
575 {
576 struct filedesc *fdp;
577 struct filedescent *fdep;
578 uint32_t fcntlrights;
579 int fd;
580
581 fd = uap->fd;
582 fcntlrights = uap->fcntlrights;
583
584 AUDIT_ARG_FD(fd);
585 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
586
587 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
588 return (EINVAL);
589
590 fdp = td->td_proc->p_fd;
591 FILEDESC_XLOCK(fdp);
592
593 fdep = fdeget_noref(fdp, fd);
594 if (fdep == NULL) {
595 FILEDESC_XUNLOCK(fdp);
596 return (EBADF);
597 }
598
599 if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
600 FILEDESC_XUNLOCK(fdp);
601 return (ENOTCAPABLE);
602 }
603
604 seqc_write_begin(&fdep->fde_seqc);
605 fdep->fde_fcntls = fcntlrights;
606 seqc_write_end(&fdep->fde_seqc);
607 FILEDESC_XUNLOCK(fdp);
608
609 return (0);
610 }
611
612 int
sys_cap_fcntls_get(struct thread * td,struct cap_fcntls_get_args * uap)613 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
614 {
615 struct filedesc *fdp;
616 struct filedescent *fdep;
617 uint32_t rights;
618 int fd;
619
620 fd = uap->fd;
621
622 AUDIT_ARG_FD(fd);
623
624 fdp = td->td_proc->p_fd;
625 FILEDESC_SLOCK(fdp);
626 fdep = fdeget_noref(fdp, fd);
627 if (fdep == NULL) {
628 FILEDESC_SUNLOCK(fdp);
629 return (EBADF);
630 }
631 rights = fdep->fde_fcntls;
632 FILEDESC_SUNLOCK(fdp);
633
634 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
635 }
636
637 #else /* !CAPABILITIES */
638
639 /*
640 * Stub Capability functions for when options CAPABILITIES isn't compiled
641 * into the kernel.
642 */
643
644 int
sys_cap_rights_limit(struct thread * td,struct cap_rights_limit_args * uap)645 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
646 {
647
648 return (ENOSYS);
649 }
650
651 int
sys___cap_rights_get(struct thread * td,struct __cap_rights_get_args * uap)652 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
653 {
654
655 return (ENOSYS);
656 }
657
658 int
sys_cap_ioctls_limit(struct thread * td,struct cap_ioctls_limit_args * uap)659 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
660 {
661
662 return (ENOSYS);
663 }
664
665 int
sys_cap_ioctls_get(struct thread * td,struct cap_ioctls_get_args * uap)666 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
667 {
668
669 return (ENOSYS);
670 }
671
672 int
sys_cap_fcntls_limit(struct thread * td,struct cap_fcntls_limit_args * uap)673 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
674 {
675
676 return (ENOSYS);
677 }
678
679 int
sys_cap_fcntls_get(struct thread * td,struct cap_fcntls_get_args * uap)680 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
681 {
682
683 return (ENOSYS);
684 }
685
686 #endif /* CAPABILITIES */
687