PATH records show fcaps

Serge E. Hallyn serue at us.ibm.com
Mon Oct 20 19:13:53 UTC 2008 

Quoting Eric Paris (eparis at redhat.com):
> On Mon, 2008-10-20 at 13:13 -0500, Serge E. Hallyn wrote:
> > Quoting Eric Paris (eparis at redhat.com):
> > > On Mon, 2008-10-20 at 11:33 -0500, Serge E. Hallyn wrote:
> > > > Quoting Eric Paris (eparis at redhat.com):
> > > > > type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 success=yes exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 ppid=2219 pid=2266 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > > 
> > > > This part above is the credentials of the running task, right?  Will it
> > > > output your process inheritable set if nonempty?
> > > > 
> > > > (I would think you should be able to test this by doing
> > > > 
> > > > 	capsh --inh=cap_sys_admin /bin/sh
> > > > 	/bin/foo
> > > > 
> > > > and look for /bin/foo's record)
> > > > 
> > > > thanks,
> > > > -serge
> > > 
> > > For this (patch 2) I'm adding information so you can tell a process
> > > escalated it privs with fcaps.  This really means you have to audit
> > > EXECVE (since this is when fcaps are applied)
> > > 
> > > setcap "cap_net_admin+pei" /bin/bash
> > > setcap "cap_net_raw+pei" /bin/ping
> > > 
> > > auditctl -a exit,always -S execve -F path=/bin/ping
> > > 
> > > type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=1 name=(null) inode=507963 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
> > > type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=0 name=/bin/ping inode=49227 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fP=0000000000002000 cap_fE=1 cap_fVer=2
> > > type=CWD msg=audit(10/20/2008 13:27:55.318:218) :  cwd=/home/test 
> > > type=UNKNOWN[1321] msg=audit(10/20/2008 13:27:55.318:218) :  cap_fP=0000000000002000 cap_fI=0000000000000000 cap_fE=1 cap_pP=0000000000001000 cap_pI=0000000000000000 cap_pE=0000000000001000 cap_bprmE=0000000000002000 
> > 
> > This looks wrong - you say above that you set cap_net_raw in fI for
> > ping, but this shows fI as empty?
> 
> /*
>  * pP' = (X & fP) | (pI & fI)
>  */
> 
> Not going to disagree that is weird but fcaps aren't inheritable from my

I'm not saying I expected to see them in pP.  I'm saying that you report
cap_fI as empty.  I assume cap_fI should be fI straight out of the
xattr.  Above you said you put cap_net_raw into fI.

So unless you had actually done 'setcap "cap_net_raw+pe" /bin/ping'
before collecting that audit record, it looks like you've got a bug
in grabbing fI.

(As for the way fI is used, you are exactliy right - it is masked
against pI then placed in pP'.  The idea is that your process can
carry ambient privileges which are only enabled if the file lets
you, but at the same time are not enabled for tasks which don't
have it in pI.  So the example I usually use is if you have a
limited administrative role which just gets pI=cap_net_admin, and
fI on ifconfig is cap_net_admin.  Now other users (with pI=empty)
run ifconfig without privilege, and the limited admin only gets
cap_net_admin for ifconfig)

-serge

More information about the Linux-audit mailing list