Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serge E. Hallyn wrote: >>> ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess? >>> >>> And then it also might be interesting in the case where >>> (!issecure(SECURE_NOROOT) && uid==0) and pP is not full. >> I guess so, although this seems like a case of being interested in a >> (unusual) non-privileged execve(). > > I'm not sure what you mean - but this can only happen if bits are taken > out of the capability bounding set, right? Yes, it can happen as you say. This is a case of an unprivileged uid==0 execution. Since we don't appear to want to audit other non-privileged execve()s, its not clear to me that this one deserves attention.

>>>>> rc = bprm_caps_from_vfs_caps(&vcaps, bprm); >>>>> >>>>> + audit_log_bprm_fcaps(bprm, &vcaps); >>>>> + >>>> When rc != 0, the execve() will fail. Is it appropriate to log in this case? >>> It might fail because fP contains bits not in pP', right? That's >>> probably interesting to auditors. >> In which case, how is the fact it didn't execute captured in the audit log? > > I assume as a FAIL? (Not sure of the exact wording in the logs) OK. As long as its clearly identified as a failure and the logs are not misleading - making it look like the execve() succeeded with privilege - then I'm not as concerned.