RFE: list noaudit exemptions #27
Conversation
src/auditing.md
Outdated
|
|
||
| - *kernel/capability.c#L518* | ||
|
|
||
| If not granted *CAP_SYS_PTRACE* several tracing related operations are not permitted. |
There was a problem hiding this comment.
Wouldn't it make more sense to enumerate the callers of ptracer_capable() in this list? This seems like more of a utility function than the sort of call-site to enumerate here. Grepping ptracer_capable looks like it only has 3 callers, so it wouldn't bloat the list too much to enumerate them instead of listing this call site.
There was a problem hiding this comment.
Listed the conditions
src/auditing.md
Outdated
|
|
||
| - *kernel/ptrace.c#L282* | ||
|
|
||
| If not granted *CAP_SYS_PTRACE* in its namespace the fields *kstkesp* and *kstkeip* in the *PID* directory entry *stat* files are zeroed. |
There was a problem hiding this comment.
I haven't fully grokked do_task_stat() at all, but is this really the only difference? I see the comment about that, but then permitted is used quite a few more times in the function, and I don't know the /proc portion of the kernel well enough to understand what's going on in the rest of it without a lot more digging.
There was a problem hiding this comment.
Listed all affected fields
pcmoore
changed the title
pcmoore
added
enhancement
|
@cgzones Any chance you can publish an update to this based on Daniel's feedbacj above, or would you prefer us to pick it up? |
In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode. Document this fact and list (hopefully) all occurrences in kernel v6.4. Signed-off-by: Christian Göttsche <[email protected]>
|
reviewed-by: Joshua Brindle [email protected] |
|
@jbrindle In the future, would you be able to wait longer before a merge? I would think that typically someone who has reviewed an earlier version may want to review a later version as well, but with just 3 hours after the update, I hadn't gotten to it yet. (It's also the workflow described in https://github.com/SELinuxProject/selinux-notebook/blob/main/MAINTAINER_PROCESS.md to wait for two maintainer acks unless "a reasonable period of time (for example a delay of over two weeks)" has passed) |
In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode.
Document this fact and list (hopefully) all occurrences in kernel v6.4.
Inspired by https://patchwork.kernel.org/project/selinux/patch/[email protected]/
/cc @WOnder93