Re: New proposed system group "scap" and setuid binary "dumpcalls"
Hi Josh,
Josh Triplett <josh@joshtriplett.org> ezt írta (időpont: 2025. okt.
4., Szo, 21:27):
>
> Bálint Réczey wrote:
> > The wireshark source package soon starts shipping the Stratoshark
> > [1][2] system call analyzer, a new GUI that uses the dumpcalls [3]
> > helper program to monitor and collect local system calls.
> > The dumpcalls [3] binary either needs to be setuid or - hopefully be
> > able to rely only on narrower Linux Capabilities to collect
> > information from the system [4].
> >
> > The "scap" group name comes from libscap's name and that comes from
> > System CAPture.
> > I think it is OK to use the abbreviated form, since the library name
> > is already reserved in Debian, while it is shipped in
> > libfalcosecurity0t64 for now. Upstream already uses this group name
> > for some time in upstream-provided .debs.
>
> What is the security model of dumpcalls? Does it pay attention to the
> user that invoked it, and only dump calls for processes running with the
> privileges of that user (and carefully not dump setuid/setcap/etc
> binaries that have elevated privileges the user doesn't have
> unrestricted access to)?
>
> (I looked for this information in the various links provided and didn't
> see it stated anywhere obvious; apologies if I've missed it.)
AFAIK there is not such protection. Dumpcalls will monitor all
supported events on the system by default.
One use case for it is remotely triaging system issues where dumpcalls
is installed on the remote system and in those cases missing
information about setuid/etc. binaries could prevent successful
triaging.
Cheers,
Balint
Reply to: