From: Steve Grubb <sgrubb@redhat.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Add a new record which shows when fcaps escalate permissions
Date: Mon, 20 Oct 2008 07:24:15 -0400 [thread overview]
Message-ID: <200810200724.16076.sgrubb@redhat.com> (raw)
In-Reply-To: <1224364082.3189.88.camel@paris-laptop>
On Saturday 18 October 2008 17:08:02 Eric Paris wrote:
> type=SYSCALL msg=audit(1224363342.919:60): arch=c000003e syscall=59
> success=yes exit=0 a0=9f7460 a1=9fe7c0 a2=a059e0 a3=3445170a70 items=2
> ppid=2328 pid=2356 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="ping" exe="/bin/ping"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
execve syscall record
> type=EXECVE msg=audit(1224363342.919:60): argc=2 a0="ping" a1="127.0.0.1"
> type=UNKNOWN[1321] msg=audit(1224363342.919:60):
> file_permitted=0000000000003000 file_inheritable=0000000000003000
> task_permitted=0000000000000000 task_inheritable=0000000000000000
> task_effective=0000000000000000 bprm_effective=0000000000003000
Good. I'd prefer the proc file system abbreviations to save disk space.
> type=CWD msg=audit(1224363342.919:60): cwd="/home/test"
> type=PATH msg=audit(1224363342.919:60): item=0 name="/bin/ping" inode=49227
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000003000
> cap_inheritable=0000000000003000 type=PATH msg=audit(1224363342.919:60):
> item=1 name=(null) inode=507963 dev=fd:00 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:ld_so_t:s0
>
> So here's an example of my new record which shows a process getting new
> capabilities.
What about capset/capget ?
> Does this show the type of information you guys think would be useful?
Yes, I think this is heading in the right direction. The capset syscall is the
one that we also need to see since that is the one that started the whole
discussion.
Also, what does it look like when you run a normal setuid program? What does
it look like when SE Linux denies a capability?
-Steve
prev parent reply other threads:[~2008-10-20 11:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-18 21:08 Add a new record which shows when fcaps escalate permissions Eric Paris
2008-10-20 11:24 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200810200724.16076.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox