Re: [PATCH] capabilities: audit capability use

From: Eric W. Biederman
Date: Mon Jul 11 2016 - 18:09:41 EST

Next message: Michael Turquette: "Re: [PATCH v2 04/10] clk: add Clock driver for nuc970"
Previous message: Stephen Boyd: "Re: [PATCH v2 18/22] usb: chipidea: msm: Add reset controller for PHY POR bit"
In reply to: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Next in thread: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Topi Miettinen <toiwoton@xxxxxxxxx> writes:

> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):

You totally miss the interactions with the user namespace so this won't
give you the information you are aiming for.

Eric

Next message: Michael Turquette: "Re: [PATCH v2 04/10] clk: add Clock driver for nuc970"
Previous message: Stephen Boyd: "Re: [PATCH v2 18/22] usb: chipidea: msm: Add reset controller for PHY POR bit"
In reply to: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Next in thread: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]