Audit & capscicum on FreeBSD 12.2Stable
    Dewayne Geraghty 
    dewayne at heuristicsystems.com.au
       
    Wed Nov 25 20:07:50 UTC 2020
    
    
  
On 23/11/2020 12:03 pm, Kyle Evans wrote:
> On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty
> <dewayne at heuristicsystems.com.au> wrote:
>>
>> I've recently included capscium & casper in our build, but we're finding
>>  "Function not implemented" associated with the capscium audit events.
>>
>> header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
>> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
>> return,failure : Function not implemented,4294967295
>> trailer,68
>> header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
>> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
>> return,failure : Function not implemented,4294967295
>> trailer,68
>> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
>> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
>> return,failure : Function not implemented,4294967295
>> trailer,68
>>
>> Do these mean that: the audit subsystem doesn't know how to deal with
>> capscium; that capsicum doesn't interact with audit very well, or is
>> there something else going on?
>>
> 
> This would seem to indicate that you are running a kernel that was not
> built with `options CAPABILITIES`.
> 
> This part demonstrates that audit picked up what it was because, IIRC,
> the syscall name rendered here is picked out of your audit_event:
> 
>> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
> 
> So this really is the return value that applications are getting:
> 
>> return,failure : Function not implemented,4294967295
> 
> "Function not implemented" = ENOSYS, which indicates that it's using
> one of the stubs when CAPABILITIES is not built in.
> 
> Thanks,
> 
> Kyle Evans
> 
Thank-you very much, I'd missed the requirement to add:
options   CAPABILITY_MODE              # Capsicum capability mode
options   CAPABILITIES         # Capsicum capabilities
when I changed src.conf to enable capsicum and casper.
After I read a few technical papers and blogs from:
https://www.cl.cam.ac.uk/research/security/capsicum/documentation.html
posters from
https://www.cl.cam.ac.uk/research/security/ctsrd/posters-slides.html
and finally what is happening with cheri
https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf
but the clincher was already at my fingertips: man rights - what it
actually means to us.
Management of capabilities, is an excellent addition to our security
framework.  (If only we could add to ports ;) )
Regards, Dewayne
PS Apologies for my misspelling. At that time, I had a 7yo practising
piano adjacent to me.
    
    
More information about the freebsd-questions
mailing list