Date: Sun, 22 Nov 2020 19:03:13 -0600 From: Kyle Evans <kevans@freebsd.org> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Audit & capscicum on FreeBSD 12.2Stable Message-ID: <CACNAnaEjnPZ1nyMPLeG7YyRMbJgJEMuWJ8SG_cN8G9PQLRMmnQ@mail.gmail.com> In-Reply-To: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au> References: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty <dewayne@heuristicsystems.com.au> wrote: > > I've recently included capscium & casper in our build, but we're finding > "Function not implemented" associated with the capscium audit events. > > header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > > Do these mean that: the audit subsystem doesn't know how to deal with > capscium; that capsicum doesn't interact with audit very well, or is > there something else going on? > This would seem to indicate that you are running a kernel that was not built with `options CAPABILITIES`. This part demonstrates that audit picked up what it was because, IIRC, the syscall name rendered here is picked out of your audit_event: > header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec So this really is the return value that applications are getting: > return,failure : Function not implemented,4294967295 "Function not implemented" = ENOSYS, which indicates that it's using one of the stubs when CAPABILITIES is not built in. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaEjnPZ1nyMPLeG7YyRMbJgJEMuWJ8SG_cN8G9PQLRMmnQ>