[PATCH] capabilities: add field names for ambient capabilities

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

* [PATCH] capabilities: add field names for ambient capabilities
@ 2017-06-13  2:35 Richard Guy Briggs
  2017-09-18 20:20 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Guy Briggs @ 2017-06-13  2:35 UTC (permalink / raw)
  To: linux-audit; +Cc: Richard Guy Briggs

Linux kernel capabilities were augmented to include ambient capabilities in
v4.3 commit 58319057b784 ("capabilities: ambient capabilities").

Add interpretation types for cap_pa, old_pa, pa.

The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_p*" variants to simply drop the "new_"
prefix.

A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000

INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none

A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000

INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \
cap_pa=none

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 auparse/typetab.h |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/auparse/typetab.h b/auparse/typetab.h
index be82796..42f3e82 100644
--- a/auparse/typetab.h
+++ b/auparse/typetab.h
@@ -89,6 +89,7 @@ _S(AUPARSE_TYPE_SESSION,	"ses"		)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"cap_pi"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"cap_pe"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"cap_pp"	)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"cap_pa"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"cap_fi"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"cap_fp"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"fp"		)
@@ -97,9 +98,14 @@ _S(AUPARSE_TYPE_CAP_BITMAP,	"fe"		)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"old_pp"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"old_pi"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"old_pe"	)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"old_pa"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"new_pp"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"new_pi"	)
 _S(AUPARSE_TYPE_CAP_BITMAP,	"new_pe"	)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"pp"		)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"pi"		)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"pe"		)
+_S(AUPARSE_TYPE_CAP_BITMAP,	"pa"		)
 _S(AUPARSE_TYPE_NFPROTO,	"family"	)
 _S(AUPARSE_TYPE_ICMPTYPE,	"icmptype"	)
 _S(AUPARSE_TYPE_PROTOCOL,	"proto"		)
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] capabilities: add field names for ambient capabilities
  2017-06-13  2:35 [PATCH] capabilities: add field names for ambient capabilities Richard Guy Briggs
@ 2017-09-18 20:20 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2017-09-18 20:20 UTC (permalink / raw)
  To: Richard Guy Briggs, Paul Moore; +Cc: linux-audit

On Monday, June 12, 2017 10:35:37 PM EDT Richard Guy Briggs wrote:
> Linux kernel capabilities were augmented to include ambient capabilities in
> v4.3 commit 58319057b784 ("capabilities: ambient capabilities").
> 
> Add interpretation types for cap_pa, old_pa, pa.
> 
> The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
> "new_pi", "new_pe" so in keeping with the previous record
> normalizations, change the "new_p*" variants to simply drop the "new_"
> prefix.
> 
> A sample of the replaced BPRM_FCAPS record:
> RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
> fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
> old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
> pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
> pa=0000000000000000
> 
> INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2
> fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none
> old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
> 
> A sample of the replaced CAPSET record:
> RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
> cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
> cap_pa=0000000000000000
> 
> INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \
> cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,s
> etpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_
> lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admi
> n,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_w
> rite,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_su
> spend,audit_read \
> cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \
> cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \ cap_pa=none
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Applied to the audit-2.8 work.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-09-18 20:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-13  2:35 [PATCH] capabilities: add field names for ambient capabilities Richard Guy Briggs
2017-09-18 20:20 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).