BUG: cap_* fields swing in and out of PATH record

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

138 stars 36 forks source link

BUG: cap_* fields swing in and out of PATH record #42

Closed rgbriggs closed 7 years ago

rgbriggs commented 7 years ago

The cap* fields swing in and out of PATH records. If no capabilities are set, the cap fields are completely missing and when one of the cap_fi or capfp values is empty, that field is omitted. Normalize the PATH record by always printing all 4 cap fields.

rgbriggs commented 7 years ago

Patch posted upstream: https://www.redhat.com/archives/linux-audit/2017-April/msg00128.html

pcmoore commented 7 years ago

Commented upstream; looks good, but needs to wait until after the v4.12 merge window for merging into audit/next.

pcmoore commented 7 years ago

Merged via 4b3e4ed6b0d958d7fb2f160bb8ebfb4f0db19382.

The-Mule commented 7 years ago

@rgbriggs is this covered in audit-testsuite?

rgbriggs commented 7 years ago

On 2017-10-04 03:07, Ondrej Moris wrote:

@rgbriggs is this covered in audit-testsuite?

I don't believe so, but it is very easy to check with:

ausearch -i -m path|grep PATH|less

and every entry should have four cap_* fields, most records showing:

cap_fp=none cap_fi=none cap_fe=0 cap_fver=0