1 files changed, 10 insertions, 8 deletions

diff --git a/sys/kern/capabilities.conf b/sys/kern/capabilities.conf
index 11aad16..3c08782 100644
--- a/sys/kern/capabilities.conf
+++ b/sys/kern/capabilities.conf
@@ -110,9 +110,14 @@ aio_write
 ## Allow capability mode and capability system calls.
 ##
 cap_enter
+cap_fcntls_get
+cap_fcntls_limit
 cap_getmode
-cap_getrights
+cap_ioctls_get
+cap_ioctls_limit
 cap_new
+cap_rights_get
+cap_rights_limit
 
 ##
 ## Allow read-only clock operations.
@@ -239,7 +244,7 @@ getcontext
 ## Allow directory I/O on a file descriptor, subject to capability rights.
 ## Originally we had separate capabilities for directory-specific read
 ## operations, but on BSD we allow reading the raw directory data, so we just
-## rely on CAP_READ and CAP_SEEK now.
+## rely on CAP_READ now.
 ##
 getdents
 getdirentries
@@ -317,13 +322,10 @@ gettimeofday
 getuid
 
 ##
-## Disallow ioctl(2) for now, as frequently ioctl(2) operations have global
-## scope, but this is a tricky one as it is also required for tty control.
-## We do have a capability right for this operation.
+## Allow ioctl(2), which hopefully will be limited by applications only to
+## required commands with cap_ioctls_limit(2) syscall.
 ##
-## XXXRW: This needs to be revisited.
-##
-#ioctl
+ioctl
 
 ##
 ## Allow querying current process credential state.