[PATCH] audit: unswing cap_* fields in PATH records

Paul Moore paul at paul-moore.com
Tue May 23 20:52:13 UTC 2017 

On Wed, Apr 26, 2017 at 3:56 PM, Paul Moore <paul at paul-moore.com> wrote:
> On Thu, Apr 20, 2017 at 1:07 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
>> The cap_* fields swing in and out of PATH records.
>> If no capabilities are set, the cap_* fields are completely missing and when
>> one of the cap_fi or cap_fp values is empty, that field is omitted.
>>
>> Original:
>> type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
>> type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fe=1 cap_fver=2
>>
>> Normalize the PATH record by always printing all 4 cap_* fields.
>>
>> Fixed:
>> type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
>> type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fi=none cap_fe=1 cap_fver=2
>>
>> See: https://github.com/linux-audit/audit-kernel/issues/42
>>
>> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
>> ---
>>  kernel/audit.c |   20 ++++----------------
>>  1 files changed, 4 insertions(+), 16 deletions(-)
>
> FWIW, I agree with the comments from Serge and yourself regarding the
> audit noise, but I understand the motivation behind this patch
> (limitations in the audit log design).
>
> This patch looks fine to me, but since we are -rc8 right now, and this
> isn't critical in any way, I'm going to defer merging this until after
> the merge window closes.

Merged.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list