On May 12, 2026 Sergio Correia <[email protected]> wrote: > > __audit_log_capset() records the effective capability set into the > inheritable field due to a copy-paste error. Every CAPSET audit > record therefore reports cap_pi (process inheritable) with the value > of cap_effective instead of cap_inheritable. > > This silently corrupts audit data used for compliance and forensic > analysis: an attacker who modifies inheritable capabilities to > prepare for a privilege-escalating exec would have the change masked > in the audit trail. > > The bug has been present since the original introduction of CAPSET > audit records in 2008. > > Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for > audit to record the actual capbilities being added/removed. This patch adds > a new record type which emits the target pid and the eff, inh, and perm cap > sets.") > Reviewed-by: Ricardo Robaina <[email protected]> > Assisted-by: Claude:claude-opus-4-6 > Signed-off-by: Sergio Correia <[email protected]> > --- > kernel/auditsc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
Good work, thanks! I'm merging this into audit/stable-7.1 and will send this up to Linus later this week. -- paul-moore.com
