From patchwork Tue Sep  5 06:46:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Guy Briggs <rgb@redhat.com>
X-Patchwork-Id: 9937889
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8B270601EB
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  5 Sep 2017 06:47:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 763DF2889F
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  5 Sep 2017 06:47:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6B03B288A2; Tue,  5 Sep 2017 06:47:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E735B288B0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  5 Sep 2017 06:47:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751037AbdIEGrR (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 5 Sep 2017 02:47:17 -0400
Received: from mx1.redhat.com ([209.132.183.28]:60542 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751015AbdIEGrR (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 5 Sep 2017 02:47:17 -0400
Received: from smtp.corp.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 386D310F79;
	Tue,  5 Sep 2017 06:47:17 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 386D310F79
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=rgb@redhat.com
Received: from madcap2.tricolour.ca (ovpn-112-9.rdu2.redhat.com
	[10.10.112.9])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 676ED94C55;
	Tue,  5 Sep 2017 06:47:14 +0000 (UTC)
From: Richard Guy Briggs <rgb@redhat.com>
To: linux-security-module@vger.kernel.org, linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>, Andy Lutomirski <luto@kernel.org>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>,
	Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>,
	Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH V4 09/10] capabilities: fix logic for effective root or real
	root
Date: Tue,  5 Sep 2017 02:46:09 -0400
Message-Id: 
 <fcc7f8815666df526110b59d76707d52bd1ca9c9.1504591358.git.rgb@redhat.com>
In-Reply-To: <cover.1504591358.git.rgb@redhat.com>
References: <cover.1504591358.git.rgb@redhat.com>
In-Reply-To: <cover.1504591358.git.rgb@redhat.com>
References: <cover.1504591358.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.39]);
	Tue, 05 Sep 2017 06:47:17 +0000 (UTC)
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Now that the logic is inverted, it is much easier to see that both real
root and effective root conditions had to be met to avoid printing the
BPRM_FCAPS record with audit syscalls.  This meant that any setuid root
applications would print a full BPRM_FCAPS record when it wasn't
necessary, cluttering the event output, since the SYSCALL and PATH
records indicated the presence of the setuid bit and effective root user
id.

Require only one of effective root or real root to avoid printing the
unnecessary record.

Ref: commit 3fc689e96c0c ("Add audit_log_bprm_fcaps/AUDIT_BPRM_FCAPS")
See: https://github.com/linux-audit/audit-kernel/issues/16

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 security/commoncap.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 7e8041d..759f3fa 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -532,7 +532,7 @@ static inline bool __is_setgid(struct cred *new, const struct cred *old)
  *
  * We do not bother to audit if 3 things are true:
  *   1) cap_effective has all caps
- *   2) we are root
+ *   2) we became root *OR* are were already root
  *   3) root is supposed to have all caps (SECURE_NOROOT)
  * Since this is just a normal root execing a process.
  *
@@ -545,8 +545,7 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root)
 
 	if (__cap_grew(effective, ambient, cred) &&
 	    !(__cap_full(effective, cred) &&
-	      __is_eff(root, cred) &&
-	      __is_real(root, cred) &&
+	      (__is_eff(root, cred) || __is_real(root, cred)) &&
 	      root_privileged()))
 		ret = true;
 	return ret;