Hi, The wireshark source package soon starts shipping the Stratoshark [1][2] system call analyzer, a new GUI that uses the dumpcalls [3] helper program to monitor and collect local system calls. The dumpcalls [3] binary either needs to be setuid or - hopefully be able to rely only on narrower Linux Capabilities to collect information from the system [4].
The "scap" group name comes from libscap's name and that comes from System CAPture. I think it is OK to use the abbreviated form, since the library name is already reserved in Debian, while it is shipped in libfalcosecurity0t64 for now. Upstream already uses this group name for some time in upstream-provided .debs. The Debian Policy governs the process of adding new setuid binaries [5], thus hereby I'm looking for the approval of the binary and the group name, or feedback if changes would be necessary. Cheers, Balint PS: The dumpcall binary has just been split [3] from falcodump [6] to minimize the code running with elevated privileges. [1] https://stratoshark.org/ [2] https://packages.debian.org/experimental/stratoshark [3] https://gitlab.com/wireshark/wireshark/-/merge_requests/21618 [4] https://gitlab.com/wireshark/wireshark/-/blob/master/packaging/debian/stratoshark.postinst [5] https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners [6] https://manpages.debian.org/experimental/wireshark-common/falcodump.1.en.html
