From: paul@paul-moore.com (Paul Moore)
To: linux-security-module@vger.kernel.org
Subject: [PATCH V4 09/10] capabilities: fix logic for effective root or real root
Date: Wed, 20 Sep 2017 18:11:40 -0400 [thread overview]
Message-ID: <CAHC9VhS4oDiNNjLQD5QwdWaZ2AK3n0v-qP2h9CvF7XLcppSXKA@mail.gmail.com> (raw)
In-Reply-To: <fcc7f8815666df526110b59d76707d52bd1ca9c9.1504591358.git.rgb@redhat.com>
On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Now that the logic is inverted, it is much easier to see that both real
> root and effective root conditions had to be met to avoid printing the
> BPRM_FCAPS record with audit syscalls. This meant that any setuid root
> applications would print a full BPRM_FCAPS record when it wasn't
> necessary, cluttering the event output, since the SYSCALL and PATH
> records indicated the presence of the setuid bit and effective root user
> id.
>
> Require only one of effective root or real root to avoid printing the
> unnecessary record.
>
> Ref: commit 3fc689e96c0c ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS")
> See: https://github.com/linux-audit/audit-kernel/issues/16
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> Acked-by: James Morris <james.l.morris@oracle.com>
> ---
> security/commoncap.c | 5 ++---
> 1 files changed, 2 insertions(+), 3 deletions(-)
Trying to sort this out, I've decided that I dislike the capabilities
code as much as I dislike the audit code.
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 7e8041d..759f3fa 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -532,7 +532,7 @@ static inline bool __is_setgid(struct cred *new, const struct cred *old)
> *
> * We do not bother to audit if 3 things are true:
> * 1) cap_effective has all caps
> - * 2) we are root
> + * 2) we became root *OR* are were already root
> * 3) root is supposed to have all caps (SECURE_NOROOT)
> * Since this is just a normal root execing a process.
> *
> @@ -545,8 +545,7 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)
>
> if (__cap_grew(effective, ambient, cred) &&
> !(__cap_full(effective, cred) &&
> - __is_eff(root, cred) &&
> - __is_real(root, cred) &&
> + (__is_eff(root, cred) || __is_real(root, cred)) &&
> root_privileged()))
> ret = true;
> return ret;
> --
> 1.7.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-09-20 22:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-05 6:46 [PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id Richard Guy Briggs
2017-09-05 6:46 ` [PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root Richard Guy Briggs
2017-09-06 6:05 ` James Morris
2017-09-07 19:42 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 02/10] capabilities: intuitive names for cap gain status Richard Guy Briggs
2017-09-07 19:57 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 03/10] capabilities: rename has_cap to has_fcap Richard Guy Briggs
2017-09-08 18:15 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 04/10] capabilities: use root_priveleged inline to clarify logic Richard Guy Briggs
2017-09-08 18:18 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 05/10] capabilities: use intuitive names for id changes Richard Guy Briggs
2017-09-08 18:22 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 06/10] capabilities: move audit log decision to function Richard Guy Briggs
2017-09-08 18:23 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 07/10] capabilities: remove a layer of conditional logic Richard Guy Briggs
2017-09-08 18:26 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 08/10] capabilities: invert logic for clarity Richard Guy Briggs
2017-09-08 18:27 ` Kees Cook
2017-09-05 6:46 ` [PATCH V4 09/10] capabilities: fix logic for effective root or real root Richard Guy Briggs
2017-09-08 18:34 ` Kees Cook
2017-09-20 22:11 ` Paul Moore [this message]
2017-09-20 22:25 ` Kees Cook
2017-09-20 22:27 ` Paul Moore
2017-09-05 6:46 ` [PATCH V4 10/10] capabilities: audit log other surprising conditions Richard Guy Briggs
2017-09-08 18:36 ` Kees Cook
2017-09-20 22:22 ` Paul Moore
2017-09-08 17:02 ` [PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id Paul Moore
2017-09-14 5:54 ` Richard Guy Briggs
2017-09-14 6:46 ` Paul Moore
2017-09-14 6:49 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhS4oDiNNjLQD5QwdWaZ2AK3n0v-qP2h9CvF7XLcppSXKA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).