[PATCH] audit: unswing cap_* fields in PATH records

Sun Apr 23 05:42:06 UTC 2017

On 2017-04-21 13:20, Serge E. Hallyn wrote:
> Quoting Richard Guy Briggs (rgb at redhat.com):
> > The cap_* fields swing in and out of PATH records.
> > If no capabilities are set, the cap_* fields are completely missing and when
> > one of the cap_fi or cap_fp values is empty, that field is omitted.
> > 
> > Original:
> > type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
> > type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fe=1 cap_fver=2
> > 
> > Normalize the PATH record by always printing all 4 cap_* fields.
> > 
> > Fixed:
> > type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fi=none cap_fe=1 cap_fver=2
> > 
> > See: https://github.com/linux-audit/audit-kernel/issues/42
> > 
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> 
> Is this a big problem for the audit daemon?  There's no actual incorrectness
> here right?  I'm not completely opposed, but it does seem like a waste of
> space in the (overwhelmingly) most common cases.

There is no actual incorrectness.  Steve Grubb has been requesting that
audit records be "normalized" so that fields don't swing in and out.
making parsing easier in userspace tools.

I agree it seems a waste of space/bandwidth to include empty fields but
I'm trying to ease things for userspace processing and analysis tools.

> > ---
> >  kernel/audit.c |   20 ++++----------------
> >  1 files changed, 4 insertions(+), 16 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 10bc2ba..de264d1 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1956,22 +1956,10 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
> >  
> >  static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
> >  {
> > -	kernel_cap_t *perm = &name->fcap.permitted;
> > -	kernel_cap_t *inh = &name->fcap.inheritable;
> > -	int log = 0;
> > -
> > -	if (!cap_isclear(*perm)) {
> > -		audit_log_cap(ab, "cap_fp", perm);
> > -		log = 1;
> > -	}
> > -	if (!cap_isclear(*inh)) {
> > -		audit_log_cap(ab, "cap_fi", inh);
> > -		log = 1;
> > -	}
> > -
> > -	if (log)
> > -		audit_log_format(ab, " cap_fe=%d cap_fver=%x",
> > -				 name->fcap.fE, name->fcap_ver);
> > +	audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
> > +	audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
> > +	audit_log_format(ab, " cap_fe=%d cap_fver=%x",
> > +			 name->fcap.fE, name->fcap_ver);
> >  }
> >  
> >  static inline int audit_copy_fcaps(struct audit_names *name,
> > -- 
> > 1.7.1

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635