Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities
Quoting Andrew G. Morgan (morgan(a)kernel.org):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[s/viro@...ok/viro@...uk/]
Serge E. Hallyn wrote:
>> Logging execve()s where there is only an increase in capabilities seems
>> wrong to me. To me it seems equally important to log any event where an
>> execve() yields pP != 0.
>
> True.
>
> ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
>
> And then it also might be interesting in the case where
> (!issecure(SECURE_NOROOT) && uid==0) and pP is not full.
I guess so, although this seems like a case of being interested in a
(unusual) non-privileged execve().
I'm not sure what you mean - but this can only happen if bits are taken
out of the capability bounding set, right?
>>> rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
>>>
>>> + audit_log_bprm_fcaps(bprm, &vcaps);
>>> +
>> When rc != 0, the execve() will fail. Is it appropriate to log in this case?
>
> It might fail because fP contains bits not in pP', right? That's
> probably interesting to auditors.
In which case, how is the fact it didn't execute captured in the audit log?
I assume as a FAIL? (Not sure of the exact wording in the logs)
-serge