From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH] capabilities: do not audit log BPRM_FCAPS on set*id
Date: Thu, 2 Mar 2017 20:07:57 -0600
Message-ID: <20170303020757.GA9920@mail.hallyn.com>
References: <515427654218b7ce22441f635115e93cf74d6302.1488491988.git.rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-security-module-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <515427654218b7ce22441f635115e93cf74d6302.1488491988.git.rgb@redhat.com>
Sender: owner-linux-security-module@vger.kernel.org
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-security-module@vger.kernel.org, linux-audit@redhat.com, Andy Lutomirski <luto@kernel.org>, "Serge E. Hallyn" <serge.hallyn@ubuntu.com>, Kees Cook <keescook@chromium.org>, James Morris <james.l.morris@oracle.com>, Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>, Steve Grubb <sgrubb@redhat.com>
List-Id: linux-audit@redhat.com

On Thu, Mar 02, 2017 at 08:10:29PM -0500, Richard Guy Briggs wrote:
> The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> application execution (SYSCALL execve). This is not expected as it was
> supposed to be limited to when the file system actually had capabilities
> in an extended attribute.  It lists all capabilities making the event
> really ugly to parse what is happening.  The PATH record correctly
> records the setuid bit and owner.  Suppress the BPRM_FCAPS record on
> set*id.
> 
> See: https://github.com/linux-audit/audit-kernel/issues/16

Hey Richard,

one possibly audit-worth case which (if I read correctly) this will
skip is where a setuid-root binary has filecaps which *limit* its privs.
Does that matter?

> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  security/commoncap.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 14540bd..8f6bedf 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -594,16 +594,17 @@ skip:
>  	/*
>  	 * Audit candidate if current->cap_effective is set
>  	 *
> -	 * We do not bother to audit if 3 things are true:
> +	 * We do not bother to audit if 4 things are true:
>  	 *   1) cap_effective has all caps
>  	 *   2) we are root
>  	 *   3) root is supposed to have all caps (SECURE_NOROOT)
> +	 *   4) we are running a set*id binary
>  	 * Since this is just a normal root execing a process.
>  	 *
>  	 * Number 1 above might fail if you don't have a full bset, but I think
>  	 * that is interesting information to audit.
>  	 */
> -	if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
> +	if (!is_setid && !cap_issubset(new->cap_effective, new->cap_ambient)) {
>  		if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
>  		    !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
>  		    issecure(SECURE_NOROOT)) {
> -- 
> 1.7.1