Re: [PATCH] capabilities: audit capability use
From: Eric W. Biederman
Date: Mon Jul 11 2016 - 18:09:41 EST
Topi Miettinen <toiwoton@xxxxxxxxx> writes:
> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
You totally miss the interactions with the user namespace so this won't
give you the information you are aiming for.