1 files changed, 22 insertions, 1 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index d7eff5797b91..d45393380997 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -8,6 +8,7 @@
 */
 #include <linux/capability.h>
+#include <linux/audit.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
@@ -376,6 +377,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 {
+        kernel_cap_t pP = current->cap_permitted;
+        kernel_cap_t pE = current->cap_effective;
        if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
            !cap_issubset(bprm->cap_post_exec_permitted,
                          current->cap_permitted)) {
@@ -409,7 +413,24 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
                        cap_clear(current->cap_effective);
        }
-        /* AUD: Audit candidate if current->cap_effective is set */
+        /*
+         * Audit candidate if current->cap_effective is set
+         *
+         * We do not bother to audit if 3 things are true:
+         *   1) cap_effective has all caps
+         *   2) we are root
+         *   3) root is supposed to have all caps (SECURE_NOROOT)
+         * Since this is just a normal root execing a process.
+         *
+         * Number 1 above might fail if you don't have a full bset, but I think
+         * that is interesting information to audit.
+         */
+        if (!cap_isclear(current->cap_effective)) {
+                if (!cap_issubset(CAP_FULL_SET, current->cap_effective) ||
+                    (bprm->e_uid != 0) || (current->uid != 0) ||
+                    issecure(SECURE_NOROOT))
+                        audit_log_bprm_fcaps(bprm, &pP, &pE);
+        }
        current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
 }

diff --git a/security/commoncap.c b/security/commoncap.c index d7eff5797b91..d45393380997 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -8,6 +8,7 @@
8	*/	8	*/
9		9
10	#include <linux/capability.h>	10	#include <linux/capability.h>
		11	#include <linux/audit.h>
11	#include <linux/module.h>	12	#include <linux/module.h>
12	#include <linux/init.h>	13	#include <linux/init.h>
13	#include <linux/kernel.h>	14	#include <linux/kernel.h>
@@ -376,6 +377,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
376		377
377	void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)	378	void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
378	{	379	{
		380	kernel_cap_t pP = current->cap_permitted;
		381	kernel_cap_t pE = current->cap_effective;
		382
379	if (bprm->e_uid != current->uid \|\| bprm->e_gid != current->gid \|\|	383	if (bprm->e_uid != current->uid \|\| bprm->e_gid != current->gid \|\|
380	!cap_issubset(bprm->cap_post_exec_permitted,	384	!cap_issubset(bprm->cap_post_exec_permitted,
381	current->cap_permitted)) {	385	current->cap_permitted)) {
@@ -409,7 +413,24 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
409	cap_clear(current->cap_effective);	413	cap_clear(current->cap_effective);
410	}	414	}
411		415
412	/* AUD: Audit candidate if current->cap_effective is set */	416	/*
		417	* Audit candidate if current->cap_effective is set
		418	*
		419	* We do not bother to audit if 3 things are true:
		420	* 1) cap_effective has all caps
		421	* 2) we are root
		422	* 3) root is supposed to have all caps (SECURE_NOROOT)
		423	* Since this is just a normal root execing a process.
		424	*
		425	* Number 1 above might fail if you don't have a full bset, but I think
		426	* that is interesting information to audit.
		427	*/
		428	if (!cap_isclear(current->cap_effective)) {
		429	if (!cap_issubset(CAP_FULL_SET, current->cap_effective) \|\|
		430	(bprm->e_uid != 0) \|\| (current->uid != 0) \|\|
		431	issecure(SECURE_NOROOT))
		432	audit_log_bprm_fcaps(bprm, &pP, &pE);
		433	}
413		434
414	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);	435	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
415	}	436	}