From owner-freebsd-questions@freebsd.org Mon Nov 23 01:03:24 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2D3B47AEE4 for ; Mon, 23 Nov 2020 01:03:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CfTRc6S7pz4h90 for ; Mon, 23 Nov 2020 01:03:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id CBB61AD49 for ; Mon, 23 Nov 2020 01:03:24 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qv1-f44.google.com with SMTP id w11so595694qvf.7 for ; Sun, 22 Nov 2020 17:03:24 -0800 (PST) X-Gm-Message-State: AOAM533YwQUcTRNRom+yOIf36raBSl54C7y7mh5uzQNTOen+lzFl26Ja PfaHReg+ZXoE9YtUj41/SZmmuOCqUhRqZpW33fk= X-Google-Smtp-Source: ABdhPJxXSUXDtEQr0/e862nEN+5rJ9o/OtyjxD/tUTCCRKqKcGKOiw759IOEBtM6Pb8dMOVaa6UNLdpwt/352NDUfi0= X-Received: by 2002:ad4:47b0:: with SMTP id a16mr26959041qvz.22.1606093404399; Sun, 22 Nov 2020 17:03:24 -0800 (PST) MIME-Version: 1.0 References: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au> In-Reply-To: <9824de4c-852a-28c5-eb0a-8ef4b5c6bbda@heuristicsystems.com.au> From: Kyle Evans Date: Sun, 22 Nov 2020 19:03:13 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Audit & capscicum on FreeBSD 12.2Stable To: Dewayne Geraghty Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2020 01:03:25 -0000 On Sun, Nov 22, 2020 at 6:27 PM Dewayne Geraghty wrote: > > I've recently included capscium & casper in our build, but we're finding > "Function not implemented" associated with the capscium audit events. > > header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec > subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0 > return,failure : Function not implemented,4294967295 > trailer,68 > > Do these mean that: the audit subsystem doesn't know how to deal with > capscium; that capsicum doesn't interact with audit very well, or is > there something else going on? > This would seem to indicate that you are running a kernel that was not built with `options CAPABILITIES`. This part demonstrates that audit picked up what it was because, IIRC, the syscall name rendered here is picked out of your audit_event: > header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec So this really is the return value that applications are getting: > return,failure : Function not implemented,4294967295 "Function not implemented" = ENOSYS, which indicates that it's using one of the stubs when CAPABILITIES is not built in. Thanks, Kyle Evans