auditing file based capabilities

[LC Bruzenak]

On Mon, 2008-10-13 at 09:04 -0500, Serge E. Hallyn wrote:
...
> 
> Except I think setcap should also be audited, so that if a task receives
> some inheritable capabilities, you can tell from the logs when that
> happened and which executable did it.
> 
> Do you already have a patch for this?
> 
> -serge

I think it already happens right (?):

node=hugo type=USER_CMD msg=audit(10/13/2008 10:13:33.616:27271) : user
pid=5202 uid=root auid=lenny subj=user_u:user_r:user_t:s0-s15:c0.c1023
msg='cwd=/home/lenny/src2/OED/test/audit cmd=/usr/sbin/setcap
cap_audit_write+pe audit-test (terminal=pts/4 res=success)' 
----
node=hugo type=PATH msg=audit(10/13/2008 10:13:33.617:27272) : item=0
name=audit-test inode=820271 dev=fd:00 mode=file,755 ouid=lenny
ogid=lenny rdev=00:00 obj=user_u:object_r:user_home_t:s0 
node=hugo type=CWD msg=audit(10/13/2008 10:13:33.617:27272) :
cwd=/home/lenny/src2/OED/test/audit 
node=hugo type=SYSCALL msg=audit(10/13/2008 10:13:33.617:27272) :
arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fff68c57a2a
a1=35a1402b44 a2=7fff68c55b20 a3=14 items=1 ppid=11723 pid=5202
auid=lenny uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts4 ses=215 comm=setcap exe=/usr/sbin/setcap
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null) 
node=hugo type=AVC msg=audit(10/13/2008 10:13:33.617:27272) : avc:
denied  { setfcap } for  pid=5202 comm=setcap
capability=scontext=user_u:user_r:user_t:s0-s15:c0.c1023
tcontext=user_u:user_r:user_t:s0-s15:c0.c1023 tclass=capability 


LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com