From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] capabilities: add field names for ambient capabilities
Date: Mon, 18 Sep 2017 16:20:29 -0400 [thread overview]
Message-ID: <94115423.nhF4BirrdY@x2> (raw)
In-Reply-To: <1497321337-29641-1-git-send-email-rgb@redhat.com>
On Monday, June 12, 2017 10:35:37 PM EDT Richard Guy Briggs wrote:
> Linux kernel capabilities were augmented to include ambient capabilities in
> v4.3 commit 58319057b784 ("capabilities: ambient capabilities").
>
> Add interpretation types for cap_pa, old_pa, pa.
>
> The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
> "new_pi", "new_pe" so in keeping with the previous record
> normalizations, change the "new_p*" variants to simply drop the "new_"
> prefix.
>
> A sample of the replaced BPRM_FCAPS record:
> RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
> fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
> old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
> pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
> pa=0000000000000000
>
> INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2
> fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none
> old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
>
> A sample of the replaced CAPSET record:
> RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
> cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
> cap_pa=0000000000000000
>
> INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \
> cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,s
> etpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_
> lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admi
> n,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_w
> rite,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_su
> spend,audit_read \
> cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \
> cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \ cap_pa=none
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Applied to the audit-2.8 work.
-Steve
prev parent reply other threads:[~2017-09-18 20:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-13 2:35 [PATCH] capabilities: add field names for ambient capabilities Richard Guy Briggs
2017-09-18 20:20 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94115423.nhF4BirrdY@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox