From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew G. Morgan" Subject: Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities Date: Wed, 22 Oct 2008 05:51:11 -0700 Message-ID: <48FF21BF.9090509@kernel.org> References: <20081020222538.3895.50175.stgit@paris.rdu.redhat.com> <20081020222612.3895.6710.stgit@paris.rdu.redhat.com> <48FD6E49.6060104@kernel.org> <20081021191625.GA4657@us.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20081021191625.GA4657@us.ibm.com> Sender: linux-kernel-owner@vger.kernel.org To: "Serge E. Hallyn" Cc: Eric Paris , linux-kernel@vger.kernel.org, linux-audit@redhat.com, viro@zeniv.linux.org.uk, sgrubb@redhat.com List-Id: linux-audit@redhat.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [s/viro@...ok/viro@...uk/] Serge E. Hallyn wrote: >> Logging execve()s where there is only an increase in capabilities seems >> wrong to me. To me it seems equally important to log any event where an >> execve() yields pP != 0. > > True. > > ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess? > > And then it also might be interesting in the case where > (!issecure(SECURE_NOROOT) && uid==0) and pP is not full. I guess so, although this seems like a case of being interested in a (unusual) non-privileged execve(). >>> rc = bprm_caps_from_vfs_caps(&vcaps, bprm); >>> >>> + audit_log_bprm_fcaps(bprm, &vcaps); >>> + >> When rc != 0, the execve() will fail. Is it appropriate to log in this case? > > It might fail because fP contains bits not in pP', right? That's > probably interesting to auditors. In which case, how is the fact it didn't execute captured in the audit log? Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI/yG9+bHCR3gb8jsRAii1AKCDluqUSVyAKP67/9bhEgqdlx3xdACg0dn4 81bi/3eMaP1FqfdVK2u/BpM= =QBli -----END PGP SIGNATURE-----