Audit & capscicum on FreeBSD 12.2Stable
Kyle Evans
kevans at freebsd.org
Mon Nov 23 01:03:25 UTC 2020
On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty
<dewayne at heuristicsystems.com.au> wrote:
>
> I've recently included capscium & casper in our build, but we're finding
> "Function not implemented" associated with the capscium audit events.
>
> header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
> return,failure : Function not implemented,4294967295
> trailer,68
> header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
> return,failure : Function not implemented,4294967295
> trailer,68
> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
> subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
> return,failure : Function not implemented,4294967295
> trailer,68
>
> Do these mean that: the audit subsystem doesn't know how to deal with
> capscium; that capsicum doesn't interact with audit very well, or is
> there something else going on?
>
This would seem to indicate that you are running a kernel that was not
built with `options CAPABILITIES`.
This part demonstrates that audit picked up what it was because, IIRC,
the syscall name rendered here is picked out of your audit_event:
> header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
So this really is the return value that applications are getting:
> return,failure : Function not implemented,4294967295
"Function not implemented" = ENOSYS, which indicates that it's using
one of the stubs when CAPABILITIES is not built in.
Thanks,
Kyle Evans
More information about the freebsd-questions
mailing list