audit: add ambient capabilities to CAPSET and BPRM_FCAPS records

Capabilities were augmented to include ambient capabilities in v4.3 commit 58319057b784 ("capabilities: ambient capabilities"). Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records. The record contains fields "old_pp", "old_pi", "old_pe", "new_pp", "new_pi", "new_pe" so in keeping with the previous record normalizations, change the "new_*" variants to simply drop the "new_" prefix. A sample of the replaced BPRM_FCAPS record: RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000 INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237): fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none A sample of the replaced CAPSET record: RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000 INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill, setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast, net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot, sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time, sys_tty_config,mknod,lease,audit_write,audit_control,setfcap, mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid, setuid,setpcap,linux_immutable,net_bind_service,net_broadcast, net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot, sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource, sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap, mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid, setuid,setpcap,linux_immutable,net_bind_service,net_broadcast, net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot, sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource, sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap, mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read cap_pa=none See: https://github.com/linux-audit/audit-kernel/issues/40 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Guy Briggs <rgb@redhat.com> 2017-04-07 10:17:27 -0400
committer: Paul Moore <paul@paul-moore.com> 2017-05-30 17:36:11 -0400
commit: 7786f6b6dfc12d17eea2df04116de6ebac50c884 (patch)
tree: 01230b564d1c75dab46083b48ead194d06c416b4 /kernel/auditsc.c
parent: 4b3e4ed6b0d958d7fb2f160bb8ebfb4f0db19382 (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2dcbe637b7c..5fa68d10032f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1260,6 +1260,7 @@ static void show_special(struct audit_context *context, int *call_panic)
                audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
                audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
                audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
+                audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
                break;
        case AUDIT_MMAP:
                audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
@@ -1381,9 +1382,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                        audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
                        audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
                        audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
-                        audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
+                        audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
-                        audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
+                        audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
-                        audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
+                        audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
+                        audit_log_cap(ab, "pe", &axs->new_pcap.effective);
+                        audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
                        break; }
                }
@@ -2341,10 +2344,12 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
        ax->old_pcap.permitted   = old->cap_permitted;
        ax->old_pcap.inheritable = old->cap_inheritable;
        ax->old_pcap.effective   = old->cap_effective;
+        ax->old_pcap.ambient     = old->cap_ambient;
        ax->new_pcap.permitted   = new->cap_permitted;
        ax->new_pcap.inheritable = new->cap_inheritable;
        ax->new_pcap.effective   = new->cap_effective;
+        ax->new_pcap.ambient     = new->cap_ambient;
        return 0;
 }
@@ -2363,6 +2368,7 @@ void __audit_log_capset(const struct cred *new, const struct cred *old)
        context->capset.cap.effective   = new->cap_effective;
        context->capset.cap.inheritable = new->cap_effective;
        context->capset.cap.permitted   = new->cap_permitted;
+        context->capset.cap.ambient     = new->cap_ambient;
        context->type = AUDIT_CAPSET;
 }
author	Richard Guy Briggs <rgb@redhat.com>	2017-04-07 10:17:27 -0400
committer	Paul Moore <paul@paul-moore.com>	2017-05-30 17:36:11 -0400
commit	7786f6b6dfc12d17eea2df04116de6ebac50c884 (patch)
tree	01230b564d1c75dab46083b48ead194d06c416b4 /kernel/auditsc.c
parent	4b3e4ed6b0d958d7fb2f160bb8ebfb4f0db19382 (diff)