proc_loginuid_write() checks wrong capability?

[Casey Schaufler]

--- Steve Beattie <sbeattie at suse.de> wrote:

> Hi,
> 
> Looking at the code for proc_loginuid_write() in
> Linus' git tree, the
> capability CAP_AUDIT_CONTROL is needed to write to
> /proc/pid/loginuid
> and generate LOGIN type records. This seems to run
> counter to the
> capabilities(7) manpage, which suggests that
> CAP_AUDIT_CONTROL is to
> "Enable and disable kernel auditing; change auditing
> filter rules;
> retrieve auditing status and filtering rules",
> whereas CAP_AUDIT_WRITE
> is to "Allow records to be written to kernel
> auditing log."
> 
> Should the following patch be applied, or am I
> misunderstanding something?

The latter. CAP_AUDIT_WRITE allows you to
create audit records, and that's it. It does
not allow you to change how they're managed,
which is an important aspect of the loginuid
of a process. Updating the loginuid changes
information that will go into audit records,
and that is strongly related to "filtering
rules". 

> It doesn't seem quite right that anything
> that makes use of
> pam_loginuid.so should need to be granted the
> capability that allows
> enabling and disabling kernel auditing or changing
> filter rules.

Although the current audit system doesn't
do so (at least, I don't think it does, I
could be wrong) specifiying audit charactoristics
on a per-session basis would require that
capability.


Casey Schaufler
casey at schaufler-ca.com