From patchwork Thu May 11 20:42:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Guy Briggs X-Patchwork-Id: 9723011 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6DD1360364 for ; Thu, 11 May 2017 20:44:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 639292871A for ; Thu, 11 May 2017 20:44:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 583282871D; Thu, 11 May 2017 20:44:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D00AF2871A for ; Thu, 11 May 2017 20:44:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932333AbdEKUoP (ORCPT ); Thu, 11 May 2017 16:44:15 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36788 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932136AbdEKUoO (ORCPT ); Thu, 11 May 2017 16:44:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5319219D39C; Thu, 11 May 2017 20:44:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5319219D39C Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=rgb@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 5319219D39C Received: from madcap2.tricolour.ca (ovpn-112-10.rdu2.redhat.com [10.10.112.10]) by smtp.corp.redhat.com (Postfix) with ESMTP id 54B4E5C885; Thu, 11 May 2017 20:44:07 +0000 (UTC) From: Richard Guy Briggs To: linux-security-module@vger.kernel.org, linux-audit@redhat.com Cc: Richard Guy Briggs , Andy Lutomirski , "Serge E. Hallyn" , Kees Cook , James Morris , Eric Paris , Paul Moore , Steve Grubb Subject: [RFC PATCH V2 3/4] capabilities: fix logic for effective root or real root Date: Thu, 11 May 2017 16:42:42 -0400 Message-Id: <771a50ef3c8263ed77a2bcb84f5e75b95ead0495.1494527628.git.rgb@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 11 May 2017 20:44:14 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Now that the logic is inverted, it is much easier to see that both real root and effective root conditions had to be met to avoid printing the BPRM_FCAPS record with audit syscalls. This meant that any setuid root applications would print a full BPRM_FCAPS record when it wasn't necessary, cluttering the event output, since the SYSCALL and PATH records indicated the presence of the setuid bit and effective root user id. Require only one of effective root or real root to avoid printing the unnecessary record. Ref: 3fc689e96c0c (Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS) See: https://github.com/linux-audit/audit-kernel/issues/16 Signed-off-by: Richard Guy Briggs --- security/commoncap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 664d6a5..c0adee6 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -608,7 +608,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) * Number 1 above might fail if you don't have a full bset, but I think * that is interesting information to audit. */ - if (pESET && !(pEALL && EROOT && RROOT && SROOT) ) { + if (pESET && !(pEALL && (EROOT || RROOT) && SROOT) ) { ret = audit_log_bprm_fcaps(bprm, new, old); if (ret < 0) return ret;