Re: New proposed system group "scap" and setuid binary "dumpcalls"
Bálint Réczey wrote:
> The wireshark source package soon starts shipping the Stratoshark
> [1][2] system call analyzer, a new GUI that uses the dumpcalls [3]
> helper program to monitor and collect local system calls.
> The dumpcalls [3] binary either needs to be setuid or - hopefully be
> able to rely only on narrower Linux Capabilities to collect
> information from the system [4].
>
> The "scap" group name comes from libscap's name and that comes from
> System CAPture.
> I think it is OK to use the abbreviated form, since the library name
> is already reserved in Debian, while it is shipped in
> libfalcosecurity0t64 for now. Upstream already uses this group name
> for some time in upstream-provided .debs.
What is the security model of dumpcalls? Does it pay attention to the
user that invoked it, and only dump calls for processes running with the
privileges of that user (and carefully not dump setuid/setcap/etc
binaries that have elevated privileges the user doesn't have
unrestricted access to)?
(I looked for this information in the various links provided and didn't
see it stated anywhere obvious; apologies if I've missed it.)
Reply to: