From: "Andrew G. Morgan" <morgan@kernel.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Eric Paris <eparis@redhat.com>,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
viro@zeniv.linux.org.uk, sgrubb@redhat.com
Subject: Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities
Date: Wed, 22 Oct 2008 05:51:11 -0700 [thread overview]
Message-ID: <48FF21BF.9090509@kernel.org> (raw)
In-Reply-To: <20081021191625.GA4657@us.ibm.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[s/viro@...ok/viro@...uk/]
Serge E. Hallyn wrote:
>> Logging execve()s where there is only an increase in capabilities seems
>> wrong to me. To me it seems equally important to log any event where an
>> execve() yields pP != 0.
>
> True.
>
> ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
>
> And then it also might be interesting in the case where
> (!issecure(SECURE_NOROOT) && uid==0) and pP is not full.
I guess so, although this seems like a case of being interested in a
(unusual) non-privileged execve().
>>> rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
>>>
>>> + audit_log_bprm_fcaps(bprm, &vcaps);
>>> +
>> When rc != 0, the execve() will fail. Is it appropriate to log in this case?
>
> It might fail because fP contains bits not in pP', right? That's
> probably interesting to auditors.
In which case, how is the fact it didn't execute captured in the audit log?
Cheers
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI/yG9+bHCR3gb8jsRAii1AKCDluqUSVyAKP67/9bhEgqdlx3xdACg0dn4
81bi/3eMaP1FqfdVK2u/BpM=
=QBli
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2008-10-22 12:51 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-20 22:25 [PATCH 0/4] Audit support for file capabilities Eric Paris
2008-10-20 22:25 ` Eric Paris
2008-10-20 22:26 ` [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps structure Eric Paris
2008-10-20 22:26 ` Eric Paris
2008-10-21 5:50 ` Andrew G. Morgan
2008-10-21 13:22 ` Eric Paris
2008-10-21 13:22 ` Eric Paris
2008-10-20 22:26 ` [PATCH 2/4] AUDIT: output permitted and inheritable fcaps in PATH records Eric Paris
2008-10-20 22:26 ` Eric Paris
2008-10-20 22:26 ` [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities Eric Paris
2008-10-20 22:26 ` Eric Paris
2008-10-21 5:53 ` Andrew G. Morgan
2008-10-21 19:16 ` Serge E. Hallyn
2008-10-21 19:16 ` Serge E. Hallyn
2008-10-22 12:51 ` Andrew G. Morgan [this message]
2008-10-22 14:14 ` Serge E. Hallyn
2008-10-22 14:14 ` Serge E. Hallyn
2008-10-23 4:13 ` Andrew G. Morgan
2008-10-29 21:58 ` Eric Paris
2008-10-29 21:58 ` Eric Paris
2008-10-30 13:35 ` Serge E. Hallyn
2008-10-30 13:35 ` Serge E. Hallyn
2008-10-20 22:26 ` [PATCH 4/4] AUDIT: emit new record type showing all capset information Eric Paris
2008-10-20 22:26 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48FF21BF.9090509@kernel.org \
--to=morgan@kernel.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
--cc=sgrubb@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.