Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andrew G. Morgan

Subject: Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities

Date: Monday, October 20, 2008 - 10:53 pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
quoted text> Any time fcaps are used to increase a processes pP or pE we will crate a new
> audit record which contains the entire set of known information about the 
> executable in question, fP, fI, fE, version and includes the parent processes
> pE, pI, pP.  This record type will only be emitted from execve syscalls.

I'm confused by the choice of when to log this event.

File capabilities are required to give a process 'any' active
capabilities. That is they don't affect pI -> pI', but without fI or fP,
the post-execve() process is guaranteed to have no pP or pE capabilities.

Logging execve()s where there is only an increase in capabilities seems
wrong to me. To me it seems equally important to log any event where an
execve() yields pP != 0.

quoted text> diff --git a/security/commoncap.c b/security/commoncap.c
> index 888b292..9bb285d 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -8,6 +8,7 @@
>   */
>  
>  #include <linux/capability.h>
> +#include <linux/audit.h>
>  #include <linux/module.h>
>  #include <linux/init.h>
>  #include <linux/kernel.h>
> @@ -320,6 +321,8 @@ static int get_file_caps(struct linux_binprm *bprm)
>  
>  	rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
>  
> +	audit_log_bprm_fcaps(bprm, &vcaps);
> +

When rc != 0, the execve() will fail. Is it appropriate to log in this case?

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/W5F+bHCR3gb8jsRAhM9AJ9oJL4PmdtMwHEkN0Xh0ZTHBlJPzgCfVT/8
1Rq4wgGWftqpaVXBmeAsEi8=
=W8R9
-----END PGP SIGNATURE-----
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH 0/4] Audit support for file capabilities, Eric Paris, (Mon Oct 20, 3:25 pm)

[PATCH 1/4] CAPABILITIES: add cpu endian vfs caps structure, Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 2/4] AUDIT: output permitted and inheritable fcaps ..., Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 3/4] AUDIT: audit when fcaps increase the permitted ..., Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 4/4] AUDIT: emit new record type showing all capset ..., Eric Paris, (Mon Oct 20, 3:26 pm)

Re: [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps stru ..., Andrew G. Morgan, (Mon Oct 20, 10:50 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Mon Oct 20, 10:53 pm)

Re: [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps stru ..., Eric Paris, (Tue Oct 21, 6:22 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Tue Oct 21, 12:16 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Wed Oct 22, 5:51 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Wed Oct 22, 7:14 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Wed Oct 22, 9:13 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Eric Paris, (Wed Oct 29, 2:58 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Thu Oct 30, 6:35 am)

Navigation

Popular discussions


linux-kernel:
Michael Trimarchi	Re: [PATCH] VFS: make file->f_pos access atomic on 32bit arch
Miklos Szeredi	[patch 14/15] vfs: more path_permission() conversions
Serge E. Hallyn	Re: [RFC v5][PATCH 7/8] Infrastructure for shared objects
Bernd Schmidt	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Takashi Iwai	[PATCH 2/2] input: Add LED support to Synaptics device
git:
Junio C Hamano	Re: mingw, windows, crlf/lf, and git
Eyvind Bernhardsen	Re: Where has "git ls-remote" reference pattern matching gone?
Shawn O. Pearce	Re: Switching from CVS to GIT
Todd Zullinger	Re: [PATCH 2/2] send-email: rfc2047-quote subject lines with non-ascii characters
Santi Béjar	Re: How to use git-fmt-merge-msg?
linux-netdev:
Ramkrishna Vepa	[net-2.6 PATCH 1/10] Neterion: New driver: Driver help file
Mark Anthony	invitation / inquiry
Ingo Molnar	Re: [PATCH 08/16] dma-debug: add core checking functions
David Miller	Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Sascha Hauer	[PATCH 03/12] fec: do not typedef struct types
git-commits-head:
Linux Kernel Mailing List	amba: struct device - replace bus_id with dev_name(), dev_set_name()
Linux Kernel Mailing List	MIPS: Yosemite: Convert SMP startup lock to arch spinlock.
Linux Kernel Mailing List	ARM: S5PC100: IRQ and timer
Linux Kernel Mailing List	davinci: edma: clear interrupt status for interrupt enabled channels only
Linux Kernel Mailing List	x86, mm, kprobes: fault.c, simplify notify_page_fault()
openbsd-misc:
Daniel A. Ramaley	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Matthias Kilian	Re: can't get vesa @ 1280x800 or nv
Tobias Ulmer	Re: Problem after upgrade 4.5 to 4.6: ERR M
Philip Guenther	Re: SIGCHLD and libpthread.so
J.C. Roberts	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?

Colocation donated by:

Syndicate