[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

auditing file based capabilities



Hi,

With file based capabilities in recent kernels, I think we need to add those 
to the path records. An example PATH record:

node=127.0.0.1 type=PATH msg=audit(1223893548.459:459): item=1 
name="/etc/resolv.conf" inode=20774937 dev=08:08 mode=0100644 ouid=0 ogid=0 
rdev=00:00 obj=system_u:object_r:net_conf_t:s0

If executing the file leads to extra capabilities, I think we need to record 
that. If we add it, I'd like to see it recorded like render_cap_t does for 
the proc filesystem. In order to conserve disk space, should we make the 
field optional so that it doesn't appear in the record unless there are file 
based capabilities?

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]