audit capability checks not audited
serue at us.ibm.com
serue at us.ibm.com
Thu May 19 16:49:29 UTC 2005
Quoting Stephen Smalley (sds at tycho.nsa.gov):
> On Thu, 2005-05-19 at 11:27 -0400, Steve Grubb wrote:
> > On Tuesday 17 May 2005 09:12, Steve Grubb wrote:
> > > Then I'll ask Dan what's wrong. I think that libpam should probably be
> > > fixed if that is indeed the problem.
> >
> > OK. I see the problem now.
> >
> > In /fs/proc/base.c we have this code:
> >
> > 845 static ssize_t proc_loginuid_write(struct file * file, const char __user *
> > buf,
> > 846 size_t count, loff_t *ppos)
> > 847 {
> > 854 if (!capable(CAP_AUDIT_CONTROL))
> > 855 return -EPERM;
> >
> > So, this means that the pam module has to have CONTROL capabilites to set the
> > loginuid. This is clearly not what we want. Should this be changed to WRITE
> > or should we have another capability? Or, does anyone have another idea?
>
> No, CAP_AUDIT_WRITE would be worse, as any application that can generate
> an audit message would then be able to also set its own loginuid.
> Finer-grained control can be achieved using the SELinux permission
> checks on netlink_audit_socket. CAP_AUDIT_CONTROL then becomes
> necessary but not sufficient to modify the audit rules; you also need
> SELinux nlmsg_write permission to netlink_audit_socket.
So we can add a security_audit_loginuid() hook. Do we consider this a
good reason to switch from capabilities to LSM hooks for all the audit
permissions?
-serge
More information about the Linux-audit
mailing list