From owner-freebsd-questions@freebsd.org Wed Nov 25 20:07:50 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A98C84730E5 for ; Wed, 25 Nov 2020 20:07:50 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ChBl81l8Nz4RPc; Wed, 25 Nov 2020 20:07:47 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 0APK7QCN045509 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 26 Nov 2020 07:07:27 +1100 (AEDT) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1606334847; x=1606939648; bh=pVVspbe8e8NG39lDciSacvaOmaGtzxnVipBNAb+BndM=; h=Subject:To:Cc:From:Message-ID:Date; b=DAVfcMzy686hQOa+YNxbWTztYO5i2M8q4RzJwQ+MrmyLAd/A/dDldl4NBxbGU0/ec KnZXcqvpYp5XgoxIcH2Ih6UNQlXsMT+gfRNB/AeOo5lJKfN7lexDvCipiuQkWuTF8d IetXmGb2d0gvr/P6WlPgkUNiCjD90rlMZXpT98BTHseZS+AvZR6ST X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Audit & capscicum on FreeBSD 12.2Stable To: Kyle Evans Cc: "freebsd-questions@freebsd.org" References: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au> From: Dewayne Geraghty Message-ID: <5e59a415-1851-a498-a4f9-91221092edb9@heuristicsystems.com.au> Date: Thu, 26 Nov 2020 06:58:51 +1100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101 Thunderbird/78.3.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4ChBl81l8Nz4RPc X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=DAVfcMzy; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-6.19 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; HAS_XAW(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; NEURAL_HAM_SHORT(-0.99)[-0.987]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[heuristicsystems.com.au]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2020 20:07:50 -0000 On 23/11/2020 12:03 pm, Kyle Evans wrote: > On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty > wrote: >> >> I've recently included capscium & casper in our build, but we're finding >> "Function not implemented" associated with the capscium audit events. >> >> header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec >> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 >> return,failure : Function not implemented,4294967295 >> trailer,68 >> >> Do these mean that: the audit subsystem doesn't know how to deal with >> capscium; that capsicum doesn't interact with audit very well, or is >> there something else going on? >> > > This would seem to indicate that you are running a kernel that was not > built with `options CAPABILITIES`. > > This part demonstrates that audit picked up what it was because, IIRC, > the syscall name rendered here is picked out of your audit_event: > >> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > > So this really is the return value that applications are getting: > >> return,failure : Function not implemented,4294967295 > > "Function not implemented" = ENOSYS, which indicates that it's using > one of the stubs when CAPABILITIES is not built in. > > Thanks, > > Kyle Evans > Thank-you very much, I'd missed the requirement to add: options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities when I changed src.conf to enable capsicum and casper. After I read a few technical papers and blogs from: https://www.cl.cam.ac.uk/research/security/capsicum/documentation.html posters from https://www.cl.cam.ac.uk/research/security/ctsrd/posters-slides.html and finally what is happening with cheri https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf but the clincher was already at my fingertips: man rights - what it actually means to us. Management of capabilities, is an excellent addition to our security framework. (If only we could add to ports ;) ) Regards, Dewayne PS Apologies for my misspelling. At that time, I had a 7yo practising piano adjacent to me.