Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted orinheritable capabilities
From: Serge E. Hallyn
Date: Tue Oct 21 2008 - 15:18:00 EST
Quoting Andrew G. Morgan (morgan@xxxxxxxxxx):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Eric Paris wrote:
> > Any time fcaps are used to increase a processes pP or pE we will crate a new
> > audit record which contains the entire set of known information about the
> > executable in question, fP, fI, fE, version and includes the parent processes
> > pE, pI, pP. This record type will only be emitted from execve syscalls.
> I'm confused by the choice of when to log this event.
> File capabilities are required to give a process 'any' active
> capabilities. That is they don't affect pI -> pI', but without fI or fP,
> the post-execve() process is guaranteed to have no pP or pE capabilities.
> Logging execve()s where there is only an increase in capabilities seems
> wrong to me. To me it seems equally important to log any event where an
> execve() yields pP != 0.
... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
And then it also might be interesting in the case where
(!issecure(SECURE_NOROOT) && uid==0) and pP is not full.
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 888b292..9bb285d 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -8,6 +8,7 @@
> > */
> > #include <linux/capability.h>
> > +#include <linux/audit.h>
> > #include <linux/module.h>
> > #include <linux/init.h>
> > #include <linux/kernel.h>
> > @@ -320,6 +321,8 @@ static int get_file_caps(struct linux_binprm *bprm)
> > rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
> > + audit_log_bprm_fcaps(bprm, &vcaps);
> > +
> When rc != 0, the execve() will fail. Is it appropriate to log in this case?
It might fail because fP contains bits not in pP', right? That's
probably interesting to auditors.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/