LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: "Andrew G. Morgan" <morgan@kernel.org>,
	linux-kernel@vger.kernel.org, linux-audit@redhat.com,
	sgrubb@redhat.com, viro@ZenIV.linux.org.uk
Subject: Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities
Date: Thu, 30 Oct 2008 08:35:41 -0500	[thread overview]
Message-ID: <20081030133541.GA4385@us.ibm.com> (raw)
In-Reply-To: <1225317519.23736.60.camel@localhost.localdomain>

Quoting Eric Paris (eparis@redhat.com):
> On Wed, 2008-10-22 at 21:13 -0700, Andrew G. Morgan wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Serge E. Hallyn wrote:
> > >>> ... except if (!issecure(SECURE_NOROOT) && uid==0) I guess?
> > >>>
> > >>> And then it also might be interesting in the case where
> > >>> (!issecure(SECURE_NOROOT) && uid==0) and pP is not full.
> > >> I guess so, although this seems like a case of being interested in a
> > >> (unusual) non-privileged execve().
> > > 
> > > I'm not sure what you mean - but this can only happen if bits are taken
> > > out of the capability bounding set, right?
> > 
> > Yes, it can happen as you say.
> > 
> > This is a case of an unprivileged uid==0 execution. Since we don't
> > appear to want to audit other non-privileged execve()s, its not clear to
> > me that this one deserves attention.
> 
> So what did you two agree on for when to collect fcaps type information?
> Any time bprm->cap_post_exec_permitted is non-zero?

And (bprm->e_uid!=0 && current->uid!=0 && !issecure(SECURE_NOROOT)) -
otherwise you'll get a hit for every file executed by root.  If you're
ok with that noise, then it's fine with me.  (I assume it can be
filtered out using an audit rule by userspace anyway?)

The inverse case that I suggested is interesting because root was
prevented from running with full capabilities - which could be
indicative of a sendmail-capabilities-bug style of attack.

-serge

  reply	other threads:[~2008-10-30 13:42 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-20 22:25 [PATCH 0/4] Audit support for file capabilities Eric Paris
2008-10-20 22:26 ` [PATCH 1/4] CAPABILITIES: add cpu endian vfs caps structure Eric Paris
2008-10-21  5:50   ` Andrew G. Morgan
2008-10-21 13:22     ` Eric Paris
2008-10-20 22:26 ` [PATCH 2/4] AUDIT: output permitted and inheritable fcaps in PATH records Eric Paris
2008-10-20 22:26 ` [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities Eric Paris
2008-10-21  5:53   ` Andrew G. Morgan
2008-10-21 19:16     ` Serge E. Hallyn
2008-10-22 12:51       ` Andrew G. Morgan
2008-10-22 14:14         ` Serge E. Hallyn
2008-10-23  4:13           ` Andrew G. Morgan
2008-10-29 21:58             ` Eric Paris
2008-10-30 13:35               ` Serge E. Hallyn [this message]
2008-10-20 22:26 ` [PATCH 4/4] AUDIT: emit new record type showing all capset information Eric Paris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081030133541.GA4385@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=eparis@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=morgan@kernel.org \
    --cc=sgrubb@redhat.com \
    --cc=viro@ZenIV.linux.org.uk \
    --subject='Re: [PATCH 3/4] AUDIT: audit when fcaps increase the permitted or inheritable capabilities' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).