Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andrew G. Morgan

Subject: Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities

Date: Wednesday, October 22, 2008 - 5:51 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[s/viro@...ok/viro@...uk/]

Serge E. Hallyn wrote:
quoted text>> Logging execve()s where there is only an increase in capabilities seems
>> wrong to me. To me it seems equally important to log any event where an
>> execve() yields pP != 0.
> 
> True.
> 
> ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
> 
> And then it also might be interesting in the case where
> (!issecure(SECURE_NOROOT) && uid==0) and pP is not full.

I guess so, although this seems like a case of being interested in a
(unusual) non-privileged execve().

quoted text>>>  	rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
>>>  
>>> +	audit_log_bprm_fcaps(bprm, &vcaps);
>>> +
>> When rc != 0, the execve() will fail. Is it appropriate to log in this case?
> 
> It might fail because fP contains bits not in pP', right?  That's
> probably interesting to auditors.

In which case, how is the fact it didn't execute captured in the audit log?

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/yG9+bHCR3gb8jsRAii1AKCDluqUSVyAKP67/9bhEgqdlx3xdACg0dn4
81bi/3eMaP1FqfdVK2u/BpM=
=QBli
-----END PGP SIGNATURE-----
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH 0/4] Audit support for file capabilities, Eric Paris, (Mon Oct 20, 3:25 pm)

[PATCH 1/4] CAPABILITIES: add cpu endian vfs caps structure, Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 2/4] AUDIT: output permitted and inheritable fcaps ..., Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 3/4] AUDIT: audit when fcaps increase the permitted ..., Eric Paris, (Mon Oct 20, 3:26 pm)

[PATCH 4/4] AUDIT: emit new record type showing all capset ..., Eric Paris, (Mon Oct 20, 3:26 pm)

Re: [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps stru ..., Andrew G. Morgan, (Mon Oct 20, 10:50 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Mon Oct 20, 10:53 pm)

Re: [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps stru ..., Eric Paris, (Tue Oct 21, 6:22 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Tue Oct 21, 12:16 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Wed Oct 22, 5:51 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Wed Oct 22, 7:14 am)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Andrew G. Morgan, (Wed Oct 22, 9:13 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Eric Paris, (Wed Oct 29, 2:58 pm)

Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permi ..., Serge E. Hallyn, (Thu Oct 30, 6:35 am)

Navigation

Popular discussions


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Hugh Dickins	Re: Linux 2.6.26-rc1 - pgtable_32.c:178 pmd_bad
Bernhard Beck	[PATCH 001/001] usb-serial: Add ThinkOptics WavIT
Oleg Nesterov	Re: [PATCH 4/5] don't panic if /sbin/init exits or killed
Greg KH	[patch 07/21] rtc-pcf8563: detect polarity of century bit automatically
git:
Jonathan del Strother	Re: [PATCH] Fixing path quoting issues
Gerrit Pape	[PATCH] fix skipping merge-order test with NO_OPENSSL=1.
Linus Torvalds	Re: Implementing branch attributes in git config
Johannes Schindelin	Re: Trying to use git-filter-branch to compress history by removing large, obsolet...
Gerrit Pape	[PATCH] hooks--update: fix test for properly set up project description file
linux-netdev:
David Miller	Re: [PATCH 04/15] tg3: Preserve LAA when device control is released
Jean-Louis Dupond	Re: tg3 driver not advertising 1000mbit
Sven Wegener	[PATCH] ipvs: Add missing locking during connection table hashing and unhashing
David Miller	Re: [PATCH] qlcnic: dont assume NET_IP_ALIGN is 2
Stephen Hemminger	[PATCH 2/2] sky2: fix transmit state on resume
git-commits-head:
Linux Kernel Mailing List	[SCSI] scsi ioctl: fix kernel-doc warning
Linux Kernel Mailing List	ALSA: HDA - Correct trivial typos in comments.
Linux Kernel Mailing List	i2c-viapro: Add support for SMBus Process Call transactions
Linux Kernel Mailing List	i2c: Documentation: upgrading clients HOWTO
Linux Kernel Mailing List	[PATCH] fix sysctl_nr_open bugs
openbsd-misc:
Die Gestalt	Re: How to re-build openssl with SHA1 support?
Edwin Eyan Moragas	Re: managing routes for multiple PPPoE connections
Brian Candler	Re: OBSD's perspective on SELinux
Jonathan Schleifer	Why is getaddrinfo breaking POSIX?
Predrag Punosevac	Re: Kernel developers guide/tutorial

Colocation donated by:

Syndicate