Re: Add a new record which shows when fcaps escalate permissions
On Saturday 18 October 2008 17:08:02 Eric Paris wrote:
type=SYSCALL msg=audit(1224363342.919:60): arch=c000003e syscall=59
success=yes exit=0 a0=9f7460 a1=9fe7c0 a2=a059e0 a3=3445170a70 items=2
ppid=2328 pid=2356 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="ping"
exe="/bin/ping"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
execve syscall record
type=EXECVE msg=audit(1224363342.919:60): argc=2 a0="ping"
a1="127.0.0.1"
type=UNKNOWN[1321] msg=audit(1224363342.919:60):
file_permitted=0000000000003000 file_inheritable=0000000000003000
task_permitted=0000000000000000 task_inheritable=0000000000000000
task_effective=0000000000000000 bprm_effective=0000000000003000
Good. I'd prefer the proc file system abbreviations to save disk space.
type=CWD msg=audit(1224363342.919:60): cwd="/home/test"
type=PATH msg=audit(1224363342.919:60): item=0 name="/bin/ping" inode=49227
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ping_exec_t:s0 cap_permitted=0000000000003000
cap_inheritable=0000000000003000 type=PATH msg=audit(1224363342.919:60):
item=1 name=(null) inode=507963 dev=fd:00 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:ld_so_t:s0
So here's an example of my new record which shows a process getting new
capabilities.
What about capset/capget ?
Does this show the type of information you guys think would be
useful?
Yes, I think this is heading in the right direction. The capset syscall is the
one that we also need to see since that is the one that started the whole
discussion.
Also, what does it look like when you run a normal setuid program? What does
it look like when SE Linux denies a capability?
-Steve