From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] capabilities: add field names for ambient capabilities
Date: Mon, 18 Sep 2017 16:20:29 -0400
Message-ID: <94115423.nhF4BirrdY@x2>
References: <1497321337-29641-1-git-send-email-rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1497321337-29641-1-git-send-email-rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, June 12, 2017 10:35:37 PM EDT Richard Guy Briggs wrote:
> Linux kernel capabilities were augmented to include ambient capabilities in
> v4.3 commit 58319057b784 ("capabilities: ambient capabilities").
> 
> Add interpretation types for cap_pa, old_pa, pa.
> 
> The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
> "new_pi", "new_pe" so in keeping with the previous record
> normalizations, change the "new_p*" variants to simply drop the "new_"
> prefix.
> 
> A sample of the replaced BPRM_FCAPS record:
> RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
> fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
> old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
> pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
> pa=0000000000000000
> 
> INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2
> fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none
> old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
> 
> A sample of the replaced CAPSET record:
> RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
> cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
> cap_pa=0000000000000000
> 
> INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \
> cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,s
> etpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_
> lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admi
> n,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_w
> rite,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_su
> spend,audit_read \
> cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \
> cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,
> setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc
> _lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_adm
> in,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_
> write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_s
> uspend,audit_read \ cap_pa=none
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Applied to the audit-2.8 work.

-Steve