aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-11-11 05:48:18 -0500
committerJames Morris <jmorris@namei.org>2008-11-11 05:48:18 -0500
commit3fc689e96c0c90b6fede5946d6c31075e9464f69 (patch)
tree5e59b6c607eb595ababa74bad18787cfa49b16e9 /security
parent851f7ff56d9c21272f289dd85fb3f1b6cf7a6e10 (diff)
Any time fcaps or a setuid app under SECURE_NOROOT is used to result in a
non-zero pE we will crate a new audit record which contains the entire set of known information about the executable in question, fP, fI, fE, fversion and includes the process's pE, pI, pP. Before and after the bprm capability are applied. This record type will only be emitted from execve syscalls. an example of making ping use fcaps instead of setuid: setcap "cat_net_raw+pe" /bin/ping type=SYSCALL msg=audit(1225742021.015:236): arch=c000003e syscall=59 success=yes exit=0 a0=1457f30 a1=14606b0 a2=1463940 a3=321b770a70 items=2 ppid=2929 pid=2963 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=3 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=UNKNOWN[1321] msg=audit(1225742021.015:236): fver=2 fp=0000000000002000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000000000002000 new_pi=0000000000000000 new_pe=0000000000002000 type=EXECVE msg=audit(1225742021.015:236): argc=2 a0="ping" a1="127.0.0.1" type=CWD msg=audit(1225742021.015:236): cwd="/home/test" type=PATH msg=audit(1225742021.015:236): item=0 name="/bin/ping" inode=49256 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 cap_fp=0000000000002000 cap_fe=1 cap_fver=2 type=PATH msg=audit(1225742021.015:236): item=1 name=(null) inode=507915 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/commoncap.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index d7eff5797b91..d45393380997 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -8,6 +8,7 @@
8 */ 8 */
9 9
10#include <linux/capability.h> 10#include <linux/capability.h>
11#include <linux/audit.h>
11#include <linux/module.h> 12#include <linux/module.h>
12#include <linux/init.h> 13#include <linux/init.h>
13#include <linux/kernel.h> 14#include <linux/kernel.h>
@@ -376,6 +377,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
376 377
377void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 378void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
378{ 379{
380 kernel_cap_t pP = current->cap_permitted;
381 kernel_cap_t pE = current->cap_effective;
382
379 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 383 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
380 !cap_issubset(bprm->cap_post_exec_permitted, 384 !cap_issubset(bprm->cap_post_exec_permitted,
381 current->cap_permitted)) { 385 current->cap_permitted)) {
@@ -409,7 +413,24 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
409 cap_clear(current->cap_effective); 413 cap_clear(current->cap_effective);
410 } 414 }
411 415
412 /* AUD: Audit candidate if current->cap_effective is set */ 416 /*
417 * Audit candidate if current->cap_effective is set
418 *
419 * We do not bother to audit if 3 things are true:
420 * 1) cap_effective has all caps
421 * 2) we are root
422 * 3) root is supposed to have all caps (SECURE_NOROOT)
423 * Since this is just a normal root execing a process.
424 *
425 * Number 1 above might fail if you don't have a full bset, but I think
426 * that is interesting information to audit.
427 */
428 if (!cap_isclear(current->cap_effective)) {
429 if (!cap_issubset(CAP_FULL_SET, current->cap_effective) ||
430 (bprm->e_uid != 0) || (current->uid != 0) ||
431 issecure(SECURE_NOROOT))
432 audit_log_bprm_fcaps(bprm, &pP, &pE);
433 }
413 434
414 current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 435 current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
415} 436}