[PATCH V4 09/10] capabilities: fix logic for effective root or real root

[PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root · jmorris@namei.org (James Morris) · 2017-09-06
[PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root · Kees Cook <hidden> · 2017-09-07
[PATCH V4 02/10] capabilities: intuitive names for cap gain status · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 02/10] capabilities: intuitive names for cap gain status · Kees Cook <hidden> · 2017-09-07
[PATCH V4 03/10] capabilities: rename has_cap to has_fcap · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 03/10] capabilities: rename has_cap to has_fcap · Kees Cook <hidden> · 2017-09-08
[PATCH V4 04/10] capabilities: use root_priveleged inline to clarify logic · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 04/10] capabilities: use root_priveleged inline to clarify logic · Kees Cook <hidden> · 2017-09-08
[PATCH V4 05/10] capabilities: use intuitive names for id changes · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 05/10] capabilities: use intuitive names for id changes · Kees Cook <hidden> · 2017-09-08
[PATCH V4 06/10] capabilities: move audit log decision to function · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 06/10] capabilities: move audit log decision to function · Kees Cook <hidden> · 2017-09-08
[PATCH V4 07/10] capabilities: remove a layer of conditional logic · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 07/10] capabilities: remove a layer of conditional logic · Kees Cook <hidden> · 2017-09-08
[PATCH V4 08/10] capabilities: invert logic for clarity · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 08/10] capabilities: invert logic for clarity · Kees Cook <hidden> · 2017-09-08
[PATCH V4 09/10] capabilities: fix logic for effective root or real root · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 09/10] capabilities: fix logic for effective root or real root · Kees Cook <hidden> · 2017-09-08
[PATCH V4 09/10] capabilities: fix logic for effective root or real root · paul@paul-moore.com (Paul Moore) · 2017-09-20
[PATCH V4 09/10] capabilities: fix logic for effective root or real root · Kees Cook <hidden> · 2017-09-20
[PATCH V4 09/10] capabilities: fix logic for effective root or real root · paul@paul-moore.com (Paul Moore) · 2017-09-20
[PATCH V4 10/10] capabilities: audit log other surprising conditions · Richard Guy Briggs <hidden> · 2017-09-05
[PATCH V4 10/10] capabilities: audit log other surprising conditions · Kees Cook <hidden> · 2017-09-08
[PATCH V4 10/10] capabilities: audit log other surprising conditions · paul@paul-moore.com (Paul Moore) · 2017-09-20
[PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · paul@paul-moore.com (Paul Moore) · 2017-09-08
[PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · Richard Guy Briggs <hidden> · 2017-09-14
[PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · paul@paul-moore.com (Paul Moore) · 2017-09-14
[PATCH V4 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · paul@paul-moore.com (Paul Moore) · 2017-09-14

From: paul@paul-moore.com (Paul Moore)
Date: 2017-09-20 22:11:40

On Tue, Sep 5, 2017 at 2:46 AM, Richard Guy Briggs [off-list ref] wrote:

Now that the logic is inverted, it is much easier to see that both real
root and effective root conditions had to be met to avoid printing the
BPRM_FCAPS record with audit syscalls.  This meant that any setuid root
applications would print a full BPRM_FCAPS record when it wasn't
necessary, cluttering the event output, since the SYSCALL and PATH
records indicated the presence of the setuid bit and effective root user
id.

Require only one of effective root or real root to avoid printing the
unnecessary record.

Ref: commit 3fc689e96c0c ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS")
See: https://github.com/linux-audit/audit-kernel/issues/16

Signed-off-by: Richard Guy Briggs <redacted>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <redacted>
---
 security/commoncap.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

Trying to sort this out, I've decided that I dislike the capabilities
code as much as I dislike the audit code.

Acked-by: Paul Moore <paul@paul-moore.com>

quoted hunk ↗ jump to hunk

diff --git a/security/commoncap.c b/security/commoncap.c
index 7e8041d..759f3fa 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c

@@ -532,7 +532,7 @@ static inline bool __is_setgid(struct cred *new, const struct cred *old)
  *
  * We do not bother to audit if 3 things are true:
  *   1) cap_effective has all caps
- *   2) we are root
+ *   2) we became root *OR* are were already root
  *   3) root is supposed to have all caps (SECURE_NOROOT)
  * Since this is just a normal root execing a process.
  *

@@ -545,8 +545,7 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)

        if (__cap_grew(effective, ambient, cred) &&
            !(__cap_full(effective, cred) &&
-             __is_eff(root, cred) &&
-             __is_real(root, cred) &&
+             (__is_eff(root, cred) || __is_real(root, cred)) &&
              root_privileged()))
                ret = true;
        return ret;
--

1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help