Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp42836imu; Thu, 24 Jan 2019 19:23:32 -0800 (PST) X-Google-Smtp-Source: ALg8bN6qIhOEb4fIlGGU/+TT5P3BVA/6WNCcF2h2FN2Ydbw88INBeJR0YvKP5yH/A9M/qGl1cAJM X-Received: by 2002:a62:104a:: with SMTP id y71mr9118778pfi.34.1548386612000; Thu, 24 Jan 2019 19:23:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548386611; cv=none; d=google.com; s=arc-20160816; b=KYVd5jmjEr0hdSzjxygpG5rRNKJYiOfqySShKRKYr+n3DD8pgM5+3GyUkSWku0W1ut T0mOQDsVWqXT8CunXN8NLD0XKm3Zw4yqaLeMVSVQXLAdLku7SiCmVRL3FRqOPUAnOeDR 38KKyl0kYUrvZTvxjcsw8JRWmhY27SUM00KS13DfpaI5vPMXhjjZc4Xqsi51iK5aem8/ aTtyoUy1Btrc6kI7RYhBr6w7O6wFlYrJ9szeQbRYXe8+x4HNLOAdIObX3m+Sc7X9kQKw lvi4rk5dre8B6E+12azYH/Lhzyym1SYJydStTcEPkY68l+qYfhqJUjgOriPAXazilQ3w 15Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=3uZJmz0fpXJJnZloZNosrd6WyDSoQ0vkFyJCBJ0r6Ns=; b=Ab4xrplXmC7sjXRlzM86IulZSaFBZ1eQzXfybAqlEqiE3drgwNCPRF6lB9szgHRURR FeZ5zq1ruBekGcp7tzVL2Z9iVp9IyxUmlxWQCKPT2CaY8gKDfNOmpZVQoeZgHty6oh4C lhRyCVu95gNint8BgBtYPlSq+1VE6HrqG1od2XA/kQxbh+Ul5QWU756m7zbdscATImkf AvJgj349gsK1Cmkni3djh2Box5eTlkRw/3JKo06hME9+xFpiOK6TpF/KwRTGDLDZLeYP h5tx4fIBkVrE24ZuFSUozOciQ/pIVA5NnAqAc7+PZXVHuXHFrx88AeuPKwAgwOdfO3up yf5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si12502922pgo.595.2019.01.24.19.23.09; Thu, 24 Jan 2019 19:23:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728243AbfAYDVC (ORCPT + 99 others); Thu, 24 Jan 2019 22:21:02 -0500 Received: from mail.hallyn.com ([178.63.66.53]:52676 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726271AbfAYDVC (ORCPT ); Thu, 24 Jan 2019 22:21:02 -0500 Received: by mail.hallyn.com (Postfix, from userid 1001) id DBF63C8A; Thu, 24 Jan 2019 21:20:59 -0600 (CST) Date: Thu, 24 Jan 2019 21:20:59 -0600 From: "Serge E. Hallyn" To: Richard Guy Briggs Cc: Linux Security Module list , LKML , Linux-Audit Mailing List , Paul Moore , Steve Grubb , Eric Paris , Serge Hallyn Subject: Re: [PATCH ghak103 V1] audit: add support for fcaps v3 Message-ID: <20190125032059.GA10044@mail.hallyn.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 23, 2019 at 09:36:25PM -0500, Richard Guy Briggs wrote: > V3 namespaced file capabilities were introduced in > commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") > > Add support for these by adding the "frootid" field to the existing > fcaps fields in the NAME and BPRM_FCAPS records. > > Please see github issue > https://github.com/linux-audit/audit-kernel/issues/103 > > Signed-off-by: Richard Guy Briggs Looks like good info to have, Acked-by: Serge Hallyn > --- > Passes audit-testsuite. > > include/linux/capability.h | 5 +++-- > kernel/audit.c | 6 ++++-- > kernel/audit.h | 1 + > kernel/auditsc.c | 4 ++++ > security/commoncap.c | 2 ++ > 5 files changed, 14 insertions(+), 4 deletions(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index f640dcbc880c..f6bb691547fd 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -14,7 +14,7 @@ > #define _LINUX_CAPABILITY_H > > #include > - > +#include > > #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 > #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 > @@ -25,11 +25,12 @@ > __u32 cap[_KERNEL_CAPABILITY_U32S]; > } kernel_cap_t; > > -/* exact same as vfs_cap_data but in cpu endian and always filled completely */ > +/* exact same as vfs_ns_cap_data but in cpu endian and always filled completely */ > struct cpu_vfs_cap_data { > __u32 magic_etc; > kernel_cap_t permitted; > kernel_cap_t inheritable; > + kuid_t rootid; > }; > > #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) > diff --git a/kernel/audit.c b/kernel/audit.c > index ca55ccb46b76..6f5eeb658ccb 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2083,8 +2083,9 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) > { > audit_log_cap(ab, "cap_fp", &name->fcap.permitted); > audit_log_cap(ab, "cap_fi", &name->fcap.inheritable); > - audit_log_format(ab, " cap_fe=%d cap_fver=%x", > - name->fcap.fE, name->fcap_ver); > + audit_log_format(ab, " cap_fe=%d cap_fver=%x cap_frootid=%d", > + name->fcap.fE, name->fcap_ver, > + from_kuid(&init_user_ns, name->fcap.rootid)); > } > > static inline int audit_copy_fcaps(struct audit_names *name, > @@ -2103,6 +2104,7 @@ static inline int audit_copy_fcaps(struct audit_names *name, > name->fcap.permitted = caps.permitted; > name->fcap.inheritable = caps.inheritable; > name->fcap.fE = !!(caps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); > + name->fcap.rootid = caps.rootid; > name->fcap_ver = (caps.magic_etc & VFS_CAP_REVISION_MASK) >> > VFS_CAP_REVISION_SHIFT; > > diff --git a/kernel/audit.h b/kernel/audit.h > index 6ffb70575082..deefdbe61a47 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -69,6 +69,7 @@ struct audit_cap_data { > kernel_cap_t effective; /* effective set of process */ > }; > kernel_cap_t ambient; > + kuid_t rootid; > }; > > /* When fs/namei.c:getname() is called, we store the pointer in name and bump > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index b585ceb2f7a2..461c52eff870 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1358,6 +1358,9 @@ static void audit_log_exit(void) > audit_log_cap(ab, "pi", &axs->new_pcap.inheritable); > audit_log_cap(ab, "pe", &axs->new_pcap.effective); > audit_log_cap(ab, "pa", &axs->new_pcap.ambient); > + audit_log_format(ab, " frootid=%d", > + from_kuid(&init_user_ns, > + axs->fcap.rootid)); > break; } > > } > @@ -2355,6 +2358,7 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > ax->fcap.permitted = vcaps.permitted; > ax->fcap.inheritable = vcaps.inheritable; > ax->fcap.fE = !!(vcaps.magic_etc & VFS_CAP_FLAGS_EFFECTIVE); > + ax->fcap.rootid = vcaps.rootid; > ax->fcap_ver = (vcaps.magic_etc & VFS_CAP_REVISION_MASK) >> VFS_CAP_REVISION_SHIFT; > > ax->old_pcap.permitted = old->cap_permitted; > diff --git a/security/commoncap.c b/security/commoncap.c > index 232db019f051..c097f3568001 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -643,6 +643,8 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data > cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; > cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; > > + cpu_caps->rootid = rootkuid; > + > return 0; > } > > -- > 1.8.3.1