Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[s/viro@...ok/viro@...uk/]
Serge E. Hallyn wrote:
> Logging execve()s where there is only an increase in capabilities
seems
> wrong to me. To me it seems equally important to log any event where an
> execve() yields pP != 0.
True.
... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
And then it also might be interesting in the case where
(!issecure(SECURE_NOROOT) && uid==0) and pP is not full.
I guess so, although this seems like a case of being interested in a
(unusual) non-privileged execve().
>> rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
>>
>> + audit_log_bprm_fcaps(bprm, &vcaps);
>> +
> When rc != 0, the execve() will fail. Is it appropriate to log in this case?
It might fail because fP contains bits not in pP', right? That's
probably interesting to auditors.
In which case, how is the fact it didn't execute captured in the audit log?
Cheers
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI/yG9+bHCR3gb8jsRAii1AKCDluqUSVyAKP67/9bhEgqdlx3xdACg0dn4
81bi/3eMaP1FqfdVK2u/BpM=
=QBli
-----END PGP SIGNATURE-----