diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2019-01-23 21:36:25 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-01-25 13:31:23 -0500 |
| commit | 2fec30e245a3b46fef89c4cb1f74eefc5fbb29a6 (patch) | |
| tree | 30f896171576cf88bf31c1cdd6c26140ab1ab47f | |
| parent | 4b7d248b3a1de483ffe9d05c1debbf32a544164d (diff) | |
audit: add support for fcaps v3
V3 namespaced file capabilities were introduced in
commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
Add support for these by adding the "frootid" field to the existing
fcaps fields in the NAME and BPRM_FCAPS records.
Please see github issue
https://github.com/linux-audit/audit-kernel/issues/103
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
[PM: comment tweak to fit an 80 char line width]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | include/linux/capability.h | 5 | ||||
| -rw-r--r-- | kernel/audit.c | 6 | ||||
| -rw-r--r-- | kernel/audit.h | 1 | ||||
| -rw-r--r-- | kernel/auditsc.c | 4 | ||||
| -rw-r--r-- | security/commoncap.c | 2 |
5 files changed, 14 insertions, 4 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h index f640dcbc880c..b769330e9380 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | #define _LINUX_CAPABILITY_H | 14 | #define _LINUX_CAPABILITY_H |
| 15 | 15 | ||
| 16 | #include <uapi/linux/capability.h> | 16 | #include <uapi/linux/capability.h> |
| 17 | 17 | #include <linux/uidgid.h> | |
| 18 | 18 | ||
| 19 | #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 | 19 | #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 |
| 20 | #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 | 20 | #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 |
| @@ -25,11 +25,12 @@ typedef struct kernel_cap_struct { | |||
| 25 | __u32 cap[_KERNEL_CAPABILITY_U32S]; | 25 | __u32 cap[_KERNEL_CAPABILITY_U32S]; |
| 26 | } kernel_cap_t; | 26 | } kernel_cap_t; |
| 27 | 27 | ||
| 28 | /* exact same as vfs_cap_data but in cpu endian and always filled completely */ | 28 | /* same as vfs_ns_cap_data but in cpu endian and always filled completely */ |
| 29 | struct cpu_vfs_cap_data { | 29 | struct cpu_vfs_cap_data { |
| 30 | __u32 magic_etc; | 30 | __u32 magic_etc; |
| 31 | kernel_cap_t permitted; | 31 | kernel_cap_t permitted; |
| 32 | kernel_cap_t inheritable; | 32 | kernel_cap_t inheritable; |
| 33 | kuid_t rootid; | ||
| 33 | }; | 34 | }; |
| 34 | 35 | ||
| 35 | #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) | 36 | #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) |
diff --git a/kernel/audit.c b/kernel/audit.c index 2a32f304223d..3f3f1888cac7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -2084,8 +2084,9 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) | |||
| 2084 | { | 2084 | { |
| 2085 | audit_log_cap(ab, "cap_fp", &name->fcap.permitted); | 2085 | audit_log_cap(ab, "cap_fp", &name->fcap.permitted); |
| 2086 | audit_log_cap(ab, "cap_fi", &name->fcap.inheritable); | 2086 | audit_log_cap(ab, "cap_fi", &name->fcap.inheritable); |
| 2087 | audit_log_format(ab, " cap_fe=%d cap_fver=%x", | 2087 | audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d", |
| 2088 | name->fcap.fE, name->fcap_ver); | 2088 | name->fcap.fE, name->fcap_ver, |
| 2089 | from_kuid(&init_user_ns, name->fcap.rootid)); | ||
| 2089 | } | 2090 | } |
| 2090 | 2091 | ||
| 2091 | static inline int audit_copy_fcaps(struct audit_names *name, | 2092 | static inline int audit_copy_fcaps(struct audit_names *name, |
| @@ -2104,6 +2105,7 @@ static inline int audit_copy_fcaps(struct audit_names *name, | |||
| 2104 | name->fcap.permitted = caps.permitted; | 2105 | name->fcap.permitted = caps.permitted; |
| 2105 | name->fcap.inheritable = caps.inheritable; | 2106 | name->fcap.inheritable = caps.inheritable; |
| 2106 | name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); | 2107 | name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); |
| 2108 | name->fcap.rootid = caps.rootid; | ||
| 2107 | name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> | 2109 | name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> |
| 2108 | VFS_CAP_REVISION_SHIFT; | 2110 | VFS_CAP_REVISION_SHIFT; |
| 2109 | 2111 | ||
diff --git a/kernel/audit.h b/kernel/audit.h index 6ffb70575082..deefdbe61a47 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -69,6 +69,7 @@ struct audit_cap_data { | |||
| 69 | kernel_cap_t effective; /* effective set of process */ | 69 | kernel_cap_t effective; /* effective set of process */ |
| 70 | }; | 70 | }; |
| 71 | kernel_cap_t ambient; | 71 | kernel_cap_t ambient; |
| 72 | kuid_t rootid; | ||
| 72 | }; | 73 | }; |
| 73 | 74 | ||
| 74 | /* When fs/namei.c:getname() is called, we store the pointer in name and bump | 75 | /* When fs/namei.c:getname() is called, we store the pointer in name and bump |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 572d247957fb..c16beb25fd0a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -1358,6 +1358,9 @@ static void audit_log_exit(void) | |||
| 1358 | audit_log_cap(ab, "pi", &axs->new_pcap.inheritable); | 1358 | audit_log_cap(ab, "pi", &axs->new_pcap.inheritable); |
| 1359 | audit_log_cap(ab, "pe", &axs->new_pcap.effective); | 1359 | audit_log_cap(ab, "pe", &axs->new_pcap.effective); |
| 1360 | audit_log_cap(ab, "pa", &axs->new_pcap.ambient); | 1360 | audit_log_cap(ab, "pa", &axs->new_pcap.ambient); |
| 1361 | audit_log_format(ab, " frootid=%d", | ||
| 1362 | from_kuid(&init_user_ns, | ||
| 1363 | axs->fcap.rootid)); | ||
| 1361 | break; } | 1364 | break; } |
| 1362 | 1365 | ||
| 1363 | } | 1366 | } |
| @@ -2271,6 +2274,7 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | |||
| 2271 | ax->fcap.permitted = vcaps.permitted; | 2274 | ax->fcap.permitted = vcaps.permitted; |
| 2272 | ax->fcap.inheritable = vcaps.inheritable; | 2275 | ax->fcap.inheritable = vcaps.inheritable; |
| 2273 | ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); | 2276 | ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); |
| 2277 | ax->fcap.rootid = vcaps.rootid; | ||
| 2274 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; | 2278 | ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; |
| 2275 | 2279 | ||
| 2276 | ax->old_pcap.permitted = old->cap_permitted; | 2280 | ax->old_pcap.permitted = old->cap_permitted; |
diff --git a/security/commoncap.c b/security/commoncap.c index 232db019f051..c097f3568001 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -643,6 +643,8 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data | |||
| 643 | cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | 643 | cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
| 644 | cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | 644 | cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
| 645 | 645 | ||
| 646 | cpu_caps->rootid = rootkuid; | ||
| 647 | |||
| 646 | return 0; | 648 | return 0; |
| 647 | } | 649 | } |
| 648 | 650 | ||