Re: New proposed system group "scap" and setuid binary "dumpcalls"
On Mon, Oct 06, 2025 at 12:56:41PM +0200, Bálint Réczey wrote:
> > What is the security model of dumpcalls? Does it pay attention to the
> > user that invoked it, and only dump calls for processes running with the
> > privileges of that user (and carefully not dump setuid/setcap/etc
> > binaries that have elevated privileges the user doesn't have
> > unrestricted access to)?
> >
> > (I looked for this information in the various links provided and didn't
> > see it stated anywhere obvious; apologies if I've missed it.)
>
> AFAIK there is not such protection. Dumpcalls will monitor all
> supported events on the system by default.
> One use case for it is remotely triaging system issues where dumpcalls
> is installed on the remote system and in those cases missing
> information about setuid/etc. binaries could prevent successful
> triaging.
Do we have a positive review from the SUSE folks? They require a formal
review for every new elevated binary.
But if there is no policy on what processes can be traced, I don't think
this will be positive.
>From my view: it needs to employ the "can ptrace" check for any
monitored process.
Bastian
--
... bacteriological warfare ... hard to believe we were once foolish
enough to play around with that.
-- McCoy, "The Omega Glory", stardate unknown
Reply to: