Date: Thu, 26 Nov 2020 06:58:51 +1100 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: Kyle Evans <kevans@freebsd.org> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Audit & capscicum on FreeBSD 12.2Stable Message-ID: <5e59a415-1851-a498-a4f9-91221092edb9@heuristicsystems.com.au> In-Reply-To: <CACNAnaEjnPZ1nyMPLeG7YyRMbJgJEMuWJ8SG_cN8G9PQLRMmnQ@mail.gmail.com> References: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au> <CACNAnaEjnPZ1nyMPLeG7YyRMbJgJEMuWJ8SG_cN8G9PQLRMmnQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23/11/2020 12:03 pm, Kyle Evans wrote: > On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty > <dewayne@heuristicsystems.com.au> wrote: >> >> I've recently included capscium & casper in our build, but we're finding >> "Function not implemented" associated with the capscium audit events. >> >> header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> >> Do these mean that: the audit subsystem doesn't know how to deal with >> capscium; that capsicum doesn't interact with audit very well, or is >> there something else going on? >> > > This would seem to indicate that you are running a kernel that was not > built with `options CAPABILITIES`. > > This part demonstrates that audit picked up what it was because, IIRC, > the syscall name rendered here is picked out of your audit_event: > >> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > > So this really is the return value that applications are getting: > >> return,failure : Function not implemented,4294967295 > > "Function not implemented" = ENOSYS, which indicates that it's using > one of the stubs when CAPABILITIES is not built in. > > Thanks, > > Kyle Evans > Thank-you very much, I'd missed the requirement to add: options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities when I changed src.conf to enable capsicum and casper. After I read a few technical papers and blogs from: https://www.cl.cam.ac.uk/research/security/capsicum/documentation.html posters from https://www.cl.cam.ac.uk/research/security/ctsrd/posters-slides.html and finally what is happening with cheri https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf but the clincher was already at my fingertips: man rights - what it actually means to us. Management of capabilities, is an excellent addition to our security framework. (If only we could add to ports ;) ) Regards, Dewayne PS Apologies for my misspelling. At that time, I had a 7yo practising piano adjacent to me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5e59a415-1851-a498-a4f9-91221092edb9>