PATH records show fcaps

Eric Paris eparis at redhat.com
Mon Oct 20 17:55:00 UTC 2008 

On Mon, 2008-10-20 at 11:33 -0500, Serge E. Hallyn wrote:
> Quoting Eric Paris (eparis at redhat.com):
> > type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 success=yes exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 ppid=2219 pid=2266 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> This part above is the credentials of the running task, right?  Will it
> output your process inheritable set if nonempty?
> 
> (I would think you should be able to test this by doing
> 
> 	capsh --inh=cap_sys_admin /bin/sh
> 	/bin/foo
> 
> and look for /bin/foo's record)
> 
> thanks,
> -serge

For this (patch 2) I'm adding information so you can tell a process
escalated it privs with fcaps.  This really means you have to audit
EXECVE (since this is when fcaps are applied)

setcap "cap_net_admin+pei" /bin/bash
setcap "cap_net_raw+pei" /bin/ping

auditctl -a exit,always -S execve -F path=/bin/ping

type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=1 name=(null) inode=507963 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=0 name=/bin/ping inode=49227 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fP=0000000000002000 cap_fE=1 cap_fVer=2
type=CWD msg=audit(10/20/2008 13:27:55.318:218) :  cwd=/home/test 
type=UNKNOWN[1321] msg=audit(10/20/2008 13:27:55.318:218) :  cap_fP=0000000000002000 cap_fI=0000000000000000 cap_fE=1 cap_pP=0000000000001000 cap_pI=0000000000000000 cap_pE=0000000000001000 cap_bprmE=0000000000002000 
type=EXECVE msg=audit(10/20/2008 13:27:55.318:218) : argc=(null) a0=ping a1=127.0.0.1 
type=SYSCALL msg=audit(10/20/2008 13:27:55.318:218) : arch=x86_64 syscall=execve success=yes exit=0 a0=2225590 a1=22257e0 a2=223ae30 a3=3445170a70 items=2 ppid=2994 pid=3023 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts0 ses=1 comm=ping exe=/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

My initial shell shows in /proc/self/status (matches above)
CapInh:	0000000000000000
CapPrm:	0000000000001000
CapEff:	0000000000001000
CapBnd:	ffffffffffffffff

So looking at this type=UNKNOWN line is the most interesting.  I do a
if(!issubset(cap_bprmEff, pP & pI).  I probaly should add a
if(fE && !issubset(cap_bprmEff, pE & pI)) as well.  So, if we are going
to change pP (and possibly pE) something like the above set of audit
messages is going to pop out.  In this case my login shell is ppid=2994
and the pid=3023 is the ping program executing.  Ping worked just fine.

Take note that at this point in the code pE and pP still show
cap_net_admin (from the /bin/bash fcap) but when ping actually finishes
execve and runs it won't have that cap since it isn't in pI.

Patch #3 is going to display more information for sys_capset (assuming
you turn on auditctl -a exit,always -S capset).  I already wrote that
patch but now I need to figure out a program that call sys_capset...

-Eric

More information about the Linux-audit mailing list