From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Morris <james.l.morris@oracle.com>
Subject: Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS
 on set*id
Date: Fri, 20 Oct 2017 16:15:00 +1100 (AEDT)
Message-ID: <alpine.LFD.2.20.1710201614310.20085@t440>
References: <cover.1507769413.git.rgb@redhat.com> <20171019130809.2farwdz3uav6vlp3@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <20171019130809.2farwdz3uav6vlp3@madcap2.tricolour.ca>
Sender: owner-linux-security-module@vger.kernel.org
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org, Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@kernel.org>, "Serge E . Hallyn" <serge.hallyn@ubuntu.com>, Paul Moore <pmoore@redhat.com>, Steve Grubb <sgrubb@redhat.com>, Eric Paris <eparis@redhat.com>
List-Id: linux-audit@redhat.com

On Thu, 19 Oct 2017, Richard Guy Briggs wrote:

> On 2017-10-11 20:57, Richard Guy Briggs wrote:
> > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
> > application execution (SYSCALL execve). This is not expected as it was
> > supposed to be limited to when the file system actually had capabilities
> > in an extended attribute.  It lists all capabilities making the event
> > really ugly to parse what is happening.  The PATH record correctly
> > records the setuid bit and owner.  Suppress the BPRM_FCAPS record on
> > set*id.
> 
> <crickets>
> 
> Serge?  James?  Can one of you two take this via your trees since Paul
> has backed down citing (reasonably) that it is mostly capabilities
> patches rather than audit?

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

-- 
James Morris
<james.l.morris@oracle.com>