From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com,
sgrubb@redhat.com, morgan@kernel.org, viro@ZenIV.linux.org.uk
Subject: Re: [PATCH -v3 3/5] AUDIT: output permitted and inheritable fcaps in PATH records
Date: Mon, 10 Nov 2008 08:46:32 -0600 [thread overview]
Message-ID: <20081110144632.GB11561@us.ibm.com> (raw)
In-Reply-To: <20081107151406.9977.3167.stgit@paris.rdu.redhat.com>
Quoting Eric Paris (eparis@redhat.com):
> This patch will print cap_permitted and cap_inheritable data in the PATH
> records of any file that has file capabilities set. Files which do not
> have fcaps set will not have different PATH records.
>
> An example audit record if you run:
> setcap "cap_net_admin+pie" /bin/bash
> /bin/bash
>
> type=SYSCALL msg=audit(1225741937.363:230): arch=c000003e syscall=59 success=yes exit=0 a0=2119230 a1=210da30 a2=20ee290 a3=8 items=2 ppid=2149 pid=2923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=EXECVE msg=audit(1225741937.363:230): argc=2 a0="ping" a1="www.google.com"
> type=CWD msg=audit(1225741937.363:230): cwd="/root"
> type=PATH msg=audit(1225741937.363:230): item=0 name="/bin/ping" inode=49256 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fp=0000000000002000 cap_fi=0000000000002000 cap_fe=1 cap_fver=2
> type=PATH msg=audit(1225741937.363:230): item=1 name=(null) inode=507915 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
...
> +struct audit_cap_data {
> + kernel_cap_t permitted;
> + kernel_cap_t inheritable;
> + union {
> + unsigned int fE;
> + kernel_cap_t effective;
> + };
> +};
To help future readers, it might be helpful to have a comment here to
explain that fE is used when it describes a file cap, and effective when
it describes a process cap. Maybe that's obvious enough, I'm not sure.
thanks,
-serge
next prev parent reply other threads:[~2008-11-10 14:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-07 15:13 [PATCH -v3 1/5] Capabilities: document the order of arguments to cap_issubset Eric Paris
2008-11-07 15:14 ` [PATCH -v3 2/5] CAPABILITIES: add cpu endian vfs caps structure Eric Paris
2008-11-07 15:14 ` [PATCH -v3 3/5] AUDIT: output permitted and inheritable fcaps in PATH records Eric Paris
2008-11-10 14:46 ` Serge E. Hallyn [this message]
2008-11-07 15:14 ` [PATCH -v3 4/5] AUDIT: collect info when execve results in caps in pE Eric Paris
2008-11-10 14:53 ` Serge E. Hallyn
2008-11-07 15:14 ` [PATCH -v3 5/5] AUDIT: emit new record type showing all capset information Eric Paris
2008-11-10 14:55 ` Serge E. Hallyn
2008-11-10 14:28 ` [PATCH -v3 1/5] Capabilities: document the order of arguments to cap_issubset Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081110144632.GB11561@us.ibm.com \
--to=serue@us.ibm.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=sgrubb@redhat.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox