On Thu, Mar 02, 2017 at 08:10:29PM -0500, Richard Guy Briggs wrote: > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid > application execution (SYSCALL execve). This is not expected as it was > supposed to be limited to when the file system actually had capabilities > in an extended attribute. It lists all capabilities making the event > really ugly to parse what is happening. The PATH record correctly > records the setuid bit and owner. Suppress the BPRM_FCAPS record on > set*id. > > See: https://github.com/linux-audit/audit-kernel/issues/16
Hey Richard, one possibly audit-worth case which (if I read correctly) this will skip is where a setuid-root binary has filecaps which *limit* its privs. Does that matter? > Signed-off-by: Richard Guy Briggs <[email protected]> > --- > security/commoncap.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 14540bd..8f6bedf 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -594,16 +594,17 @@ skip: > /* > * Audit candidate if current->cap_effective is set > * > - * We do not bother to audit if 3 things are true: > + * We do not bother to audit if 4 things are true: > * 1) cap_effective has all caps > * 2) we are root > * 3) root is supposed to have all caps (SECURE_NOROOT) > + * 4) we are running a set*id binary > * Since this is just a normal root execing a process. > * > * Number 1 above might fail if you don't have a full bset, but I think > * that is interesting information to audit. > */ > - if (!cap_issubset(new->cap_effective, new->cap_ambient)) { > + if (!is_setid && !cap_issubset(new->cap_effective, new->cap_ambient)) { > if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || > !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) > || > issecure(SECURE_NOROOT)) { > -- > 1.7.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
