[PATCH] capabilities: audit capability use
Eric W. Biederman
ebiederm at xmission.com
Mon Jul 11 21:57:03 UTC 2016
Topi Miettinen <toiwoton at gmail.com> writes:
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):
You totally miss the interactions with the user namespace so this won't
give you the information you are aiming for.
Eric
More information about the Linux-audit
mailing list