On Mon, 2008-10-20 at 11:33 -0500, Serge E. Hallyn wrote:
Quoting Eric Paris (eparis(a)redhat.com):
> type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 success=yes
exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 ppid=2219 pid=2266 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ping"
exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)
This part above is the credentials of the running task, right? Will it
output your process inheritable set if nonempty?
(I would think you should be able to test this by doing
capsh --inh=cap_sys_admin /bin/sh
/bin/foo
and look for /bin/foo's record)
thanks,
-serge
For this (patch 2) I'm adding information so you can tell a process
escalated it privs with fcaps. This really means you have to audit
EXECVE (since this is when fcaps are applied)
setcap "cap_net_admin+pei" /bin/bash
setcap "cap_net_raw+pei" /bin/ping
auditctl -a exit,always -S execve -F path=/bin/ping
type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=1 name=(null) inode=507963
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=0 name=/bin/ping inode=49227
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:ping_exec_t:s0 cap_fP=0000000000002000 cap_fE=1 cap_fVer=2
type=CWD msg=audit(10/20/2008 13:27:55.318:218) : cwd=/home/test
type=UNKNOWN[1321] msg=audit(10/20/2008 13:27:55.318:218) : cap_fP=0000000000002000
cap_fI=0000000000000000 cap_fE=1 cap_pP=0000000000001000 cap_pI=0000000000000000
cap_pE=0000000000001000 cap_bprmE=0000000000002000
type=EXECVE msg=audit(10/20/2008 13:27:55.318:218) : argc=(null) a0=ping a1=127.0.0.1
type=SYSCALL msg=audit(10/20/2008 13:27:55.318:218) : arch=x86_64 syscall=execve
success=yes exit=0 a0=2225590 a1=22257e0 a2=223ae30 a3=3445170a70 items=2 ppid=2994
pid=3023 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test
fsgid=test tty=pts0 ses=1 comm=ping exe=/bin/ping
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
My initial shell shows in /proc/self/status (matches above)
CapInh: 0000000000000000
CapPrm: 0000000000001000
CapEff: 0000000000001000
CapBnd: ffffffffffffffff
So looking at this type=UNKNOWN line is the most interesting. I do a
if(!issubset(cap_bprmEff, pP & pI). I probaly should add a
if(fE && !issubset(cap_bprmEff, pE & pI)) as well. So, if we are going
to change pP (and possibly pE) something like the above set of audit
messages is going to pop out. In this case my login shell is ppid=2994
and the pid=3023 is the ping program executing. Ping worked just fine.
Take note that at this point in the code pE and pP still show
cap_net_admin (from the /bin/bash fcap) but when ping actually finishes
execve and runs it won't have that cap since it isn't in pI.
Patch #3 is going to display more information for sys_capset (assuming
you turn on auditctl -a exit,always -S capset). I already wrote that
patch but now I need to figure out a program that call sys_capset...
-Eric