linux_old1/security
Richard Guy Briggs dbbbe1105e capabilities: audit log other surprising conditions
The existing condition tested for process effective capabilities set by
file attributes but intended to ignore the change if the result was
unsurprisingly an effective full set in the case root is special with a
setuid root executable file and we are root.

Stated again:
- When you execute a setuid root application, it is no surprise and
  expected that it got all capabilities, so we do not want capabilities
  recorded.
        if (pE_grew && !(pE_fullset && (eff_root || real_root) && root_priveleged) )

Now make sure we cover other cases:
- If something prevented a setuid root app getting all capabilities and
  it wound up with one capability only, then it is a surprise and should
  be logged.  When it is a setuid root file, we only want capabilities
  when the process does not get full capabilities..
        root_priveleged && setuid_root && !pE_fullset

- Similarly if a non-setuid program does pick up capabilities due to
  file system based capabilities, then we want to know what capabilities
  were picked up.  When it has file system based capabilities we want
  the capabilities.
        !is_setuid && (has_fcap && pP_gained)

- If it is a non-setuid file and it gets ambient capabilities, we want
  the capabilities.
        !is_setuid && pA_gained

- These last two are combined into one due to the common first parameter.

Related: https://github.com/linux-audit/audit-kernel/issues/16

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-10-20 15:22:46 +11:00
..
apparmor + Features 2017-09-23 05:33:29 -10:00
integrity Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2017-07-05 11:26:35 -07:00
keys fs: fix kernel_write prototype 2017-09-04 19:05:15 -04:00
loadpin security: mark LSM hooks as __ro_after_init 2017-03-06 11:00:15 +11:00
selinux selinux/stable-4.14 PR 20170831 2017-09-12 13:21:00 -07:00
smack This series has the ultimate goal of providing a sane stack rlimit when 2017-09-07 20:35:29 -07:00
tomoyo exec: Rename bprm->cred_prepared to called_set_creds 2017-08-01 12:02:48 -07:00
yama doc: ReSTify Yama.txt 2017-05-18 10:33:04 -06:00
Kconfig include/linux/string.h: add the option of fortified string.h functions 2017-07-12 16:26:03 -07:00
Makefile LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00
commoncap.c capabilities: audit log other surprising conditions 2017-10-20 15:22:46 +11:00
device_cgroup.c security/device_cgroup: Fix RCU_LOCKDEP_WARN() condition 2015-09-03 18:13:10 -07:00
inode.c securityfs: add the ability to support symlinks 2017-06-08 12:51:43 -07:00
lsm_audit.c lsm_audit: update my email address 2017-08-17 15:33:39 -04:00
min_addr.c
security.c selinux/stable-4.14 PR 20170831 2017-09-12 13:21:00 -07:00