[PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id

[PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 02/10] capabilities: intuitive names for cap gain status · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 04/10] capabilities: use root_priveleged inline to clarify logic · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 05/10] capabilities: use intuitive names for id changes · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 07/10] capabilities: remove a layer of conditional logic · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 09/10] capabilities: fix logic for effective root or real root · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 10/10] capabilities: audit log other surprising conditions · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 08/10] capabilities: invert logic for clarity · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 06/10] capabilities: move audit log decision to function · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 03/10] capabilities: rename has_cap to has_fcap · Richard Guy Briggs <hidden> · 2017-10-12
[PATCH GHAK16 V5 01/10] capabilities: factor out cap_bprm_set_creds privileged root · Richard Guy Briggs <hidden> · 2017-10-12
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · Richard Guy Briggs <hidden> · 2017-10-19
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · James Morris <hidden> · 2017-10-20
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · Richard Guy Briggs <hidden> · 2017-10-20
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id · James Morris <hidden> · 2017-10-20

From: James Morris <hidden>
Date: 2017-10-20 05:15:15
Also in: lkml

On Thu, 19 Oct 2017, Richard Guy Briggs wrote:

On 2017-10-11 20:57, Richard Guy Briggs wrote:

quoted

The audit subsystem is adding a BPRM_FCAPS record when auditing setuid
application execution (SYSCALL execve). This is not expected as it was
supposed to be limited to when the file system actually had capabilities
in an extended attribute.  It lists all capabilities making the event
really ugly to parse what is happening.  The PATH record correctly
records the setuid bit and owner.  Suppress the BPRM_FCAPS record on
set*id.

<crickets>

Serge?  James?  Can one of you two take this via your trees since Paul
has backed down citing (reasonably) that it is mostly capabilities
patches rather than audit?

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general

-- 
James Morris
[off-list ref]

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help