[PATCH] capabilities: do not audit log BPRM_FCAPS on set*id
Serge E. Hallyn
serge at hallyn.com
Fri Mar 3 02:07:57 UTC 2017
On Thu, Mar 02, 2017 at 08:10:29PM -0500, Richard Guy Briggs wrote:
> The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> application execution (SYSCALL execve). This is not expected as it was
> supposed to be limited to when the file system actually had capabilities
> in an extended attribute. It lists all capabilities making the event
> really ugly to parse what is happening. The PATH record correctly
> records the setuid bit and owner. Suppress the BPRM_FCAPS record on
> set*id.
>
> See: https://github.com/linux-audit/audit-kernel/issues/16
Hey Richard,
one possibly audit-worth case which (if I read correctly) this will
skip is where a setuid-root binary has filecaps which *limit* its privs.
Does that matter?
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> security/commoncap.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 14540bd..8f6bedf 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -594,16 +594,17 @@ skip:
> /*
> * Audit candidate if current->cap_effective is set
> *
> - * We do not bother to audit if 3 things are true:
> + * We do not bother to audit if 4 things are true:
> * 1) cap_effective has all caps
> * 2) we are root
> * 3) root is supposed to have all caps (SECURE_NOROOT)
> + * 4) we are running a set*id binary
> * Since this is just a normal root execing a process.
> *
> * Number 1 above might fail if you don't have a full bset, but I think
> * that is interesting information to audit.
> */
> - if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
> + if (!is_setid && !cap_issubset(new->cap_effective, new->cap_ambient)) {
> if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
> !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
> issecure(SECURE_NOROOT)) {
> --
> 1.7.1
More information about the Linux-audit
mailing list