Linux kernel capabilities were augmented to include ambient capabilities in v4.3 commit 58319057b784 ("capabilities: ambient capabilities"). Add interpretation types for cap_pa, old_pa, pa. The record contains fields "old_pp", "old_pi", "old_pe", "new_pp", "new_pi", "new_pe" so in keeping with the previous record normalizations, change the "new_p*" variants to simply drop the "new_" prefix. A sample of the replaced BPRM_FCAPS record: RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000 INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none A sample of the replaced CAPSET record: RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000 INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \ cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pa=none Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- auparse/typetab.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/auparse/typetab.h b/auparse/typetab.h index be82796..42f3e82 100644 --- a/auparse/typetab.h +++ b/auparse/typetab.h @@ -89,6 +89,7 @@ _S(AUPARSE_TYPE_SESSION, "ses" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "fp" ) @@ -97,9 +98,14 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "fe" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pa" ) _S(AUPARSE_TYPE_NFPROTO, "family" ) _S(AUPARSE_TYPE_ICMPTYPE, "icmptype" ) _S(AUPARSE_TYPE_PROTOCOL, "proto" ) -- 1.7.1