On Mon, 2008-10-20 at 11:33 -0500, Serge E. Hallyn wrote: > Quoting Eric Paris ([EMAIL PROTECTED]): > > type=SYSCALL msg=audit(1224342849.465:43): arch=c000003e syscall=59 > > success=yes exit=0 a0=25b6a00 a1=2580410 a2=2580140 a3=8 items=2 ppid=2219 > > pid=2266 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=pts0 ses=1 comm="ping" exe="/bin/ping" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > This part above is the credentials of the running task, right? Will it > output your process inheritable set if nonempty? > > (I would think you should be able to test this by doing > > capsh --inh=cap_sys_admin /bin/sh > /bin/foo > > and look for /bin/foo's record) > > thanks, > -serge
For this (patch 2) I'm adding information so you can tell a process escalated it privs with fcaps. This really means you have to audit EXECVE (since this is when fcaps are applied) setcap "cap_net_admin+pei" /bin/bash setcap "cap_net_raw+pei" /bin/ping auditctl -a exit,always -S execve -F path=/bin/ping type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=1 name=(null) inode=507963 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(10/20/2008 13:27:55.318:218) : item=0 name=/bin/ping inode=49227 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fP=0000000000002000 cap_fE=1 cap_fVer=2 type=CWD msg=audit(10/20/2008 13:27:55.318:218) : cwd=/home/test type=UNKNOWN[1321] msg=audit(10/20/2008 13:27:55.318:218) : cap_fP=0000000000002000 cap_fI=0000000000000000 cap_fE=1 cap_pP=0000000000001000 cap_pI=0000000000000000 cap_pE=0000000000001000 cap_bprmE=0000000000002000 type=EXECVE msg=audit(10/20/2008 13:27:55.318:218) : argc=(null) a0=ping a1=127.0.0.1 type=SYSCALL msg=audit(10/20/2008 13:27:55.318:218) : arch=x86_64 syscall=execve success=yes exit=0 a0=2225590 a1=22257e0 a2=223ae30 a3=3445170a70 items=2 ppid=2994 pid=3023 auid=root uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts0 ses=1 comm=ping exe=/bin/ping subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) My initial shell shows in /proc/self/status (matches above) CapInh: 0000000000000000 CapPrm: 0000000000001000 CapEff: 0000000000001000 CapBnd: ffffffffffffffff So looking at this type=UNKNOWN line is the most interesting. I do a if(!issubset(cap_bprmEff, pP & pI). I probaly should add a if(fE && !issubset(cap_bprmEff, pE & pI)) as well. So, if we are going to change pP (and possibly pE) something like the above set of audit messages is going to pop out. In this case my login shell is ppid=2994 and the pid=3023 is the ping program executing. Ping worked just fine. Take note that at this point in the code pE and pP still show cap_net_admin (from the /bin/bash fcap) but when ping actually finishes execve and runs it won't have that cap since it isn't in pI. Patch #3 is going to display more information for sys_capset (assuming you turn on auditctl -a exit,always -S capset). I already wrote that patch but now I need to figure out a program that call sys_capset... -Eric -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
