From patchwork Thu May 11 20:42:43 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Guy Briggs <rgb@redhat.com>
X-Patchwork-Id: 9723015
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7B16E60364
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 11 May 2017 20:44:20 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73EA42871A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 11 May 2017 20:44:20 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 68C2B2871D; Thu, 11 May 2017 20:44:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0AAA02871A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 11 May 2017 20:44:20 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932700AbdEKUoS (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 11 May 2017 16:44:18 -0400
Received: from mx1.redhat.com ([209.132.183.28]:53252 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932411AbdEKUoS (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 11 May 2017 16:44:18 -0400
Received: from smtp.corp.redhat.com
	(int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 9D6F5C059739;
	Thu, 11 May 2017 20:44:17 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9D6F5C059739
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
	spf=pass smtp.mailfrom=rgb@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 9D6F5C059739
Received: from madcap2.tricolour.ca (ovpn-112-10.rdu2.redhat.com
	[10.10.112.10])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AC4185C885;
	Thu, 11 May 2017 20:44:14 +0000 (UTC)
From: Richard Guy Briggs <rgb@redhat.com>
To: linux-security-module@vger.kernel.org, linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>, Andy Lutomirski <luto@kernel.org>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>,
	Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>,
	Steve Grubb <sgrubb@redhat.com>
Subject: [RFC PATCH V2 4/4] capabilities: auit log other surprising
	conditions
Date: Thu, 11 May 2017 16:42:43 -0400
Message-Id: 
 <1779aa46278bf6b03052c2d4a59d68a996fd61a0.1494527628.git.rgb@redhat.com>
In-Reply-To: <cover.1494527628.git.rgb@redhat.com>
References: <cover.1494527628.git.rgb@redhat.com>
In-Reply-To: <cover.1494527628.git.rgb@redhat.com>
References: <cover.1494527628.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.32]);
	Thu, 11 May 2017 20:44:17 +0000 (UTC)
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The existing condition tested for process effective capabilities set by file
attributes but intended to ignore the change if the result was unsurprisingly an
effective full set in the case root is special with a setuid root executable
file and we are root.

Stated again:
- When you execute a setuid root application, it is no surprise and expected
that it got all capabilities, so we do not want capabilities recorded.
        if (pESET && !(pEALL && (EROOT || RROOT) && SROOT) )

Now make sure we cover other cases:
- If something prevented a setuid root app getting all capabilities and it
wound up with one capability only, then it is a surprise and should be logged.
When it is a setuid root file, we only want capabilities when the process does
not get full capabilities..
        SROOT && SETUIDROOT && !pEALL

- Similarly if a non-setuid program does pick up capabilities due to file system
based capabilities, then we want to know what capabilities were picked up.
When it has file system based capabilities we want the capabilities.
        !SUID && FILECAP && pPADD

- If it is a non-setuid file and it gets ambient capabilities, we want the
capabilities.
        !SUID && pAADD

Related: https://github.com/linux-audit/audit-kernel/issues/16

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 security/commoncap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index c0adee6..6309e81 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -608,7 +608,9 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 	 * Number 1 above might fail if you don't have a full bset, but I think
 	 * that is interesting information to audit.
 	 */
-	if (pESET && !(pEALL && (EROOT || RROOT) && SROOT) ) {
+	if ( (pESET && !(pEALL && (EROOT || RROOT) && SROOT) )
+	    || (SROOT && SETUIDROOT && !pEALL)
+	    ||  (!SUID && ( (has_cap && pPADD) || pAADD) )) {
 		ret = audit_log_bprm_fcaps(bprm, new, old);
 		if (ret < 0)
 			return ret;