-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: list noaudit exemptions #27
Conversation
src/auditing.md
Outdated
|
||
- *kernel/capability.c#L518* | ||
|
||
If not granted *CAP_SYS_PTRACE* several tracing related operations are not permitted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it make more sense to enumerate the callers of ptracer_capable()
in this list? This seems like more of a utility function than the sort of call-site to enumerate here. Grepping ptracer_capable looks like it only has 3 callers, so it wouldn't bloat the list too much to enumerate them instead of listing this call site.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Listed the conditions
src/auditing.md
Outdated
|
||
- *kernel/ptrace.c#L282* | ||
|
||
If not granted *CAP_SYS_PTRACE* in its namespace the fields *kstkesp* and *kstkeip* in the *PID* directory entry *stat* files are zeroed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't fully grokked do_task_stat()
at all, but is this really the only difference? I see the comment about that, but then permitted
is used quite a few more times in the function, and I don't know the /proc portion of the kernel well enough to understand what's going on in the rest of it without a lot more digging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Listed all affected fields
@cgzones Any chance you can publish an update to this based on Daniel's feedbacj above, or would you prefer us to pick it up? |
In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode. Document this fact and list (hopefully) all occurrences in kernel v6.4. Signed-off-by: Christian Göttsche <[email protected]>
reviewed-by: Joshua Brindle [email protected] |
@jbrindle In the future, would you be able to wait longer before a merge? I would think that typically someone who has reviewed an earlier version may want to review a later version as well, but with just 3 hours after the update, I hadn't gotten to it yet. (It's also the workflow described in https://github.com/SELinuxProject/selinux-notebook/blob/main/MAINTAINER_PROCESS.md to wait for two maintainer acks unless "a reasonable period of time (for example a delay of over two weeks)" has passed) |
In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode.
Document this fact and list (hopefully) all occurrences in kernel v6.4.
Inspired by https://patchwork.kernel.org/project/selinux/patch/[email protected]/
/cc @WOnder93