On Wed, Sep 20, 2017 at 6:25 PM, Kees Cook <[email protected]> wrote: > On Wed, Sep 20, 2017 at 3:11 PM, Paul Moore <[email protected]> wrote: >> On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs <[email protected]> wrote: >>> Now that the logic is inverted, it is much easier to see that both real >>> root and effective root conditions had to be met to avoid printing the >>> BPRM_FCAPS record with audit syscalls. This meant that any setuid root >>> applications would print a full BPRM_FCAPS record when it wasn't >>> necessary, cluttering the event output, since the SYSCALL and PATH >>> records indicated the presence of the setuid bit and effective root user >>> id. >>> >>> Require only one of effective root or real root to avoid printing the >>> unnecessary record. >>> >>> Ref: commit 3fc689e96c0c ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS") >>> See: https://github.com/linux-audit/audit-kernel/issues/16 >>> >>> Signed-off-by: Richard Guy Briggs <[email protected]> >>> Reviewed-by: Serge Hallyn <[email protected]> >>> Acked-by: James Morris <[email protected]> >>> --- >>> security/commoncap.c | 5 ++--- >>> 1 files changed, 2 insertions(+), 3 deletions(-) >> >> Trying to sort this out, I've decided that I dislike the capabilities >> code as much as I dislike the audit code. > > Read binfmt_elf.c and your journey towards the dark side will be complete!
It's only Wednesday, I'm not sure want to inflict that much self-harm on myself by mid-week. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
