Re: [PATCH] capabilities: audit capability use

From: Eric W. Biederman
Date: Mon Jul 11 2016 - 18:09:41 EST


Topi Miettinen <toiwoton@xxxxxxxxx> writes:

> There are many basic ways to control processes, including capabilities,
> cgroups and resource limits. However, there are far fewer ways to find
> out useful values for the limits, except blind trial and error.
>
> Currently, there is no way to know which capabilities are actually used.
> Even the source code is only implicit, in-depth knowledge of each
> capability must be used when analyzing a program to judge which
> capabilities the program will exercise.
>
> Generate an audit message at system call exit, when capabilities are used.
> This can then be used to configure capability sets for services by a
> software developer, maintainer or system administrator.
>
> Test case demonstrating basic capability monitoring with the new
> message types 1330 and 1331 and how the cgroups are displayed (boot to
> rdshell):

You totally miss the interactions with the user namespace so this won't
give you the information you are aiming for.

Eric