audit capability checks not audited

Stephen Smalley sds at tycho.nsa.gov
Tue May 17 12:53:22 UTC 2005 

On Tue, 2005-05-17 at 08:52 -0400, Steve Grubb wrote:
> Is the bug report in bugzilla or a mail list? I'd like to see it to figure out 
> what best to do.

Private email from Dan Walsh.  This one was for vsftpd; failed unless
given audit_control, which seems wrong anyway.  I assume libpam is
triggering it.

> Was the program making calls into the audit system? pam is the only thing that 
> does that in the public. If there's a problem with pam, I need to know.

I'm assuming it is being caused by libpam, although I don't know much
beyond the fact that vsftpd stopped working without it.

> What are we doing wrong? Shouldn't it be a matter of calling the right selinux 
> function for a capabilities check after the DAC checks? That seems simpler 
> and has less impact on user space.

The problem arises from the async nature of netlink processing; the
effective capability bitmap of the task is computed and saved in the
netlink message's control buffer at send time, and then the receive-side
kernel code just checks the appropriate capability bit in that bitmap
(in audit_netlink_ok for the audit code).    SELinux sees the send-time
computation, but doesn't know a priori what capabilities, if any, will
be checked by the receive side code, so it just performs a computation
of what is allowed and doesn't audit anything at that point.  Then, when
the message is received and processed, audit_netlink_ok() just checks
the capability bit and SELinux isn't involved, so no audit message is
generated.  Even if you changed audit_netlink_ok() to call a LSM hook
rather than directly performing a cap_raised() test, SELinux wouldn't
know the security context of the sender, since that isn't saved with the
netlink message.  Simplest solution is Chris' earlier patches to allow
callbacks to be registered for netlink send so that audit_netlink_ok()
checking can occur at send time.  At that point, audit_netlink_ok() can
perform capable() checks against the current task, which will trigger
SELinux audit as expected.

-- 
Stephen Smalley
National Security Agency

More information about the Linux-audit mailing list