Add a new record which shows when fcaps escalate permissions
Steve Grubb
sgrubb at redhat.com
Mon Oct 20 11:24:15 UTC 2008
On Saturday 18 October 2008 17:08:02 Eric Paris wrote:
> type=SYSCALL msg=audit(1224363342.919:60): arch=c000003e syscall=59
> success=yes exit=0 a0=9f7460 a1=9fe7c0 a2=a059e0 a3=3445170a70 items=2
> ppid=2328 pid=2356 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="ping" exe="/bin/ping"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
execve syscall record
> type=EXECVE msg=audit(1224363342.919:60): argc=2 a0="ping" a1="127.0.0.1"
> type=UNKNOWN[1321] msg=audit(1224363342.919:60):
> file_permitted=0000000000003000 file_inheritable=0000000000003000
> task_permitted=0000000000000000 task_inheritable=0000000000000000
> task_effective=0000000000000000 bprm_effective=0000000000003000
Good. I'd prefer the proc file system abbreviations to save disk space.
> type=CWD msg=audit(1224363342.919:60): cwd="/home/test"
> type=PATH msg=audit(1224363342.919:60): item=0 name="/bin/ping" inode=49227
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000003000
> cap_inheritable=0000000000003000 type=PATH msg=audit(1224363342.919:60):
> item=1 name=(null) inode=507963 dev=fd:00 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:ld_so_t:s0
>
> So here's an example of my new record which shows a process getting new
> capabilities.
What about capset/capget ?
> Does this show the type of information you guys think would be useful?
Yes, I think this is heading in the right direction. The capset syscall is the
one that we also need to see since that is the one that started the whole
discussion.
Also, what does it look like when you run a normal setuid program? What does
it look like when SE Linux denies a capability?
-Steve
More information about the Linux-audit
mailing list