Quoting Richard Guy Briggs ([email protected]):
> The cap_* fields swing in and out of PATH records.
> If no capabilities are set, the cap_* fields are completely missing and when
> one of the cap_fi or cap_fp values is empty, that field is omitted.
>
> Original:
> type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL
> type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=0 name=/home/sleep
> inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fe=1
> cap_fver=2
>
> Normalize the PATH record by always printing all 4 cap_* fields.
>
> Fixed:
> type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=0 name=/home/sleep
> inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fi=none
> cap_fe=1 cap_fver=2
>
> See: https://github.com/linux-audit/audit-kernel/issues/42
>
> Signed-off-by: Richard Guy Briggs <[email protected]>
Is this a big problem for the audit daemon? There's no actual incorrectness
here right? I'm not completely opposed, but it does seem like a waste of
space in the (overwhelmingly) most common cases.
> ---
> kernel/audit.c | 20 ++++----------------
> 1 files changed, 4 insertions(+), 16 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 10bc2ba..de264d1 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1956,22 +1956,10 @@ void audit_log_cap(struct audit_buffer *ab, char
> *prefix, kernel_cap_t *cap)
>
> static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names
> *name)
> {
> - kernel_cap_t *perm = &name->fcap.permitted;
> - kernel_cap_t *inh = &name->fcap.inheritable;
> - int log = 0;
> -
> - if (!cap_isclear(*perm)) {
> - audit_log_cap(ab, "cap_fp", perm);
> - log = 1;
> - }
> - if (!cap_isclear(*inh)) {
> - audit_log_cap(ab, "cap_fi", inh);
> - log = 1;
> - }
> -
> - if (log)
> - audit_log_format(ab, " cap_fe=%d cap_fver=%x",
> - name->fcap.fE, name->fcap_ver);
> + audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
> + audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
> + audit_log_format(ab, " cap_fe=%d cap_fver=%x",
> + name->fcap.fE, name->fcap_ver);
> }
>
> static inline int audit_copy_fcaps(struct audit_names *name,
> --
> 1.7.1
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
