PATH records show fcaps

[Steve Grubb]

On Saturday 18 October 2008 11:23:12 Eric Paris wrote:
> type=PATH msg=audit(1224342849.465:43): item=0 name="/bin/ping" inode=49227
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000002000
> cap_inheritable=0000000000000000 

The kernel abbreviates these as: capprm & capinh in the proc file system. I'm 
thinking shorter names would save some disk space.

> This good?  If either cap_permitted or cap_inheritable have anything set
> I show them both.

And they are otherwise missing to save disk space?

> In the above example would you rather I only showed 
> cap_permitted and dropped cap_inheritable?

No. Its my understanding that apps could have something inheritable by 
children and we'd want to know exactly what that was.

> Did I see correctly that it's possible to set a cap_effective on a file? 

Yes.

> Does it do anything?  I didn't see that getting used or read in the kernel, 
> so I didn't put any way to display it in kernel....

That would be strange to have a field that is not used.

I'll leave code review to others. Thanks for working on this patch!

-Steve