From: rgb@redhat.com (Richard Guy Briggs)
To: linux-security-module@vger.kernel.org
Subject: [PATCH V4 06/10] capabilities: move audit log decision to function
Date: Tue, 5 Sep 2017 02:46:06 -0400 [thread overview]
Message-ID: <36700dd2a846de06fc5f6585e94d2f261f6f3083.1504591358.git.rgb@redhat.com> (raw)
In-Reply-To: <cover.1504591358.git.rgb@redhat.com>
Move the audit log decision logic to its own function to isolate the
complexity in one place.
Suggested-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
---
security/commoncap.c | 50 ++++++++++++++++++++++++++++++--------------------
1 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index d37ebec..eae7431 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -527,6 +527,32 @@ static inline bool __is_setuid(struct cred *new, const struct cred *old)
static inline bool __is_setgid(struct cred *new, const struct cred *old)
{ return !gid_eq(new->egid, old->gid); }
+/*
+ * Audit candidate if current->cap_effective is set
+ *
+ * We do not bother to audit if 3 things are true:
+ * 1) cap_effective has all caps
+ * 2) we are root
+ * 3) root is supposed to have all caps (SECURE_NOROOT)
+ * Since this is just a normal root execing a process.
+ *
+ * Number 1 above might fail if you don't have a full bset, but I think
+ * that is interesting information to audit.
+ */
+static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)
+{
+ bool ret = false;
+
+ if (__cap_grew(effective, ambient, cred)) {
+ if (!__cap_full(effective, cred) ||
+ !__is_eff(root, cred) || !__is_real(root, cred) ||
+ !root_privileged()) {
+ ret = true;
+ }
+ }
+ return ret;
+}
+
/**
* cap_bprm_set_creds - Set up the proposed credentials for execve().
* @bprm: The execution parameters, including the proposed creds
@@ -604,26 +630,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
if (WARN_ON(!cap_ambient_invariant_ok(new)))
return -EPERM;
- /*
- * Audit candidate if current->cap_effective is set
- *
- * We do not bother to audit if 3 things are true:
- * 1) cap_effective has all caps
- * 2) we are root
- * 3) root is supposed to have all caps (SECURE_NOROOT)
- * Since this is just a normal root execing a process.
- *
- * Number 1 above might fail if you don't have a full bset, but I think
- * that is interesting information to audit.
- */
- if (__cap_grew(effective, ambient, new)) {
- if (!__cap_full(effective, new) ||
- !__is_eff(root_uid, new) || !__is_real(root_uid, new) ||
- !root_privileged()) {
- ret = audit_log_bprm_fcaps(bprm, new, old);
- if (ret < 0)
- return ret;
- }
+ if (nonroot_raised_pE(new, root_uid)) {
+ ret = audit_log_bprm_fcaps(bprm, new, old);
+ if (ret < 0)
+ return ret;
}
new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-09-05 6:46 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-05 6:46 [PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id Richard Guy Briggs
2017-09-05 6:46 ` [PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root Richard Guy Briggs
2017-09-06 6:05 ` James Morris
2017-09-07 19:42 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 02/10] capabilities: intuitive names for cap gain status Richard Guy Briggs
2017-09-07 19:57 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 03/10] capabilities: rename has_cap to has_fcap Richard Guy Briggs
2017-09-08 18:15 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 04/10] capabilities: use root_priveleged inline to clarify logic Richard Guy Briggs
2017-09-08 18:18 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 05/10] capabilities: use intuitive names for id changes Richard Guy Briggs
2017-09-08 18:22 ` Kees Cook
2017-09-05 6:46 ` Richard Guy Briggs [this message]
2017-09-08 18:23 ` [PATCH V4 06/10] capabilities: move audit log decision to function Kees Cook
2017-09-05 6:46 ` [PATCH V4 07/10] capabilities: remove a layer of conditional logic Richard Guy Briggs
2017-09-08 18:26 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 08/10] capabilities: invert logic for clarity Richard Guy Briggs
2017-09-08 18:27 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 09/10] capabilities: fix logic for effective root or real root Richard Guy Briggs
2017-09-08 18:34 ` Kees Cook
2017-09-20 22:11 ` Paul Moore
2017-09-20 22:25 ` Kees Cook
2017-09-20 22:27 ` Paul Moore
2017-09-05 6:46 ` [PATCH V4 10/10] capabilities: audit log other surprising conditions Richard Guy Briggs
2017-09-08 18:36 ` Kees Cook
2017-09-20 22:22 ` Paul Moore
2017-09-08 17:02 ` [PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id Paul Moore
2017-09-14 5:54 ` Richard Guy Briggs
2017-09-14 6:46 ` Paul Moore
2017-09-14 6:49 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=36700dd2a846de06fc5f6585e94d2f261f6f3083.1504591358.git.rgb@redhat.com \
--to=rgb@redhat.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).