• Richard Guy Briggs's avatar
    audit: add ambient capabilities to CAPSET and BPRM_FCAPS records · 7786f6b6
    Richard Guy Briggs authored
    Capabilities were augmented to include ambient capabilities in v4.3
    commit 58319057 ("capabilities: ambient capabilities").
    
    Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
    
    The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
    "new_pi", "new_pe" so in keeping with the previous record
    normalizations, change the "new_*" variants to simply drop the "new_"
    prefix.
    
    A sample of the replaced BPRM_FCAPS record:
    RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2
    fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000
    old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000
    pp=0000000000200000 pi=0000000000000000 pe=0000000000200000
    pa=0000000000000000
    
    INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237):
    fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none
    old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
    
    A sample of the replaced CAPSET record:
    RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833
    cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff
    cap_pa=0000000000000000
    
    INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
    cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,
    setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
    net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
    sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,
    sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
    mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
    cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
    setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
    net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
    sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
    sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
    mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
    cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,
    setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,
    net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,
    sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,
    sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,
    mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
    cap_pa=none
    
    See: https://github.com/linux-audit/audit-kernel/issues/40Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    7786f6b6
audit.h 10.9 KB