[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New proposed system group "scap" and setuid binary "dumpcalls"



On Mon, Oct 06, 2025 at 12:56:41PM +0200, Bálint Réczey wrote:
> > What is the security model of dumpcalls? Does it pay attention to the
> > user that invoked it, and only dump calls for processes running with the
> > privileges of that user (and carefully not dump setuid/setcap/etc
> > binaries that have elevated privileges the user doesn't have
> > unrestricted access to)?
> >
> > (I looked for this information in the various links provided and didn't
> > see it stated anywhere obvious; apologies if I've missed it.)
> 
> AFAIK there is not such protection. Dumpcalls will monitor all
> supported events on the system by default.
> One use case for it is remotely triaging system issues where dumpcalls
> is installed on the remote system and in those cases missing
> information about setuid/etc. binaries could prevent successful
> triaging.

Do we have a positive review from the SUSE folks?  They require a formal
review for every new elevated binary.

But if there is no policy on what processes can be traced, I don't think
this will be positive.

>From my view: it needs to employ the "can ptrace" check for any
monitored process.

Bastian

-- 
... bacteriological warfare ... hard to believe we were once foolish
enough to play around with that.
		-- McCoy, "The Omega Glory", stardate unknown


Reply to: