From e41128d488b3cec3726d4c63d8eee21cb3ae9c12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Tue, 18 Jul 2023 19:26:01 +0200 Subject: [PATCH] notebook: auditing: list noaudit exemptions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the general case a rejected capability check will result in an audit event. There are however some instances in the kernel where denied capability checks are not audited, which could lead to differences in behavior between enforcing and permissive mode. Document this fact and list (hopefully) all occurrences in kernel v6.4. Signed-off-by: Christian Göttsche --- src/auditing.md | 95 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/src/auditing.md b/src/auditing.md index e3063d1..d7808dc 100644 --- a/src/auditing.md +++ b/src/auditing.md @@ -3,6 +3,7 @@ - [AVC Audit Events](#avc-audit-events) - [Example Audit Events](#example-audit-events) - [General SELinux Audit Events](#general-selinux-audit-events) +- [Capability Audit Exemptions](#capability-audit-exemptions) For SELinux there are two main types of audit event: @@ -377,6 +378,100 @@ new-context=?: exe="/usr/bin/newrole" hostname=? addr=? terminal=/dev/pts/0 res=failed' ``` +## Capability Audit Exemptions + +In the general case a rejected capability check will result in an audit event. +There are however some instances in the kernel where denied capability checks +are not audited, which could lead to differences in behavior between enforcing +and permissive mode. + +List of exemptions (no guarantee for completeness)(locations are based on +kernel v6.5 unless otherwise specified): + +- *fs/proc/base.c#L1110*, + *fs/proc/base.c#L1129* + + If not granted *CAP_SYS_RESOURCE* the OOM kill score adjustment min value is + not set. + +- *fs/overlayfs/inode.c#L429*, + *fs/xattr.c#L1298* + + If not granted *CAP_SYS_ADMIN* in its namespace extended attributes in the + *trusted* namespace are not listed. + +- *fs/xfs/xfs_fsmap.c#L894* + + If not granted *CAP_SYS_ADMIN* the XFS data device's *bnobt* is queried + instead of *rmapbt*. + +- *fs/xfs/xfs_ioctl.c#L1199*, + *fs/xfs/xfs_iops.c#L709* + + If not granted *CAP_FOWNER* XFS quota checks on transactions are performed. + +- *io_uring/io_uring.c#L3887* + + If not granted *CAP_IPC_LOCK* io_uring operations are accounted against the + user's RLIMIT_MEMLOCK limit. + +- *kernel/capability.c#L519* + + If not granted *CAP_SYS_PTRACE* tracing an unsafe (e.g. *no_new_privs* set + or shared, see *fs/exec.c:check_unsafe_exec()*) task or a coredump of a + non-user process is not permitted. + +- *kernel/ksyms_common.c#L37* + + If not granted *CAP_SYSLOG* kallsyms information are not shown, except if + kernel profiling is enabled and is explicitly not set to paranoid. + +- *kernel/ptrace.c#L282* + + If not granted *CAP_SYS_PTRACE* in its namespace several fields in the *PID* + directory entry *stat* files are not populated (*startcode*, *endcode*, + *startstack*, *kstkesp*, *kstkeip*, *wchan*, *start_data*, *end_data*, + *start_brk*, *arg_start*, *arg_end*, *env_start*, *env_end* and + *exit_code*). + +- *kernel/seccomp.c#L662* + + If not granted *CAP_SYS_ADMIN* in its namespace preparing a seccomp filter + running without *no_new_privs* is not permitted. + +- *lib/vsprintf.c#L881* + + If not granted *CAP_SYSLOG* restricted pointers are not included in strings + formatted via *%pK*. + +- *net/vmw_vsock/af_vsock.c#L779* + + If not granted *CAP_NET_ADMIN* in its namespace new *VSOCK* sockets are not + marked as trusted. + +- *net/sysctl_net.c#L48* + + If not granted *CAP_NET_ADMIN* in its namespace the inodes of + */proc/sys/net* have more restricted *DAC* permissions. + +- *security/commoncap.c#L1405* + + If not granted *CAP_SYS_ADMIN* allocation of a new virtual mapping are + restricted in size to reserve memory for sysadmin. + +- *security/integrity/ima/ima_policy.c#L607* + + If not granted *CAP_SETUID* rules regarding foreign *UID*s are not matched. + +- *security/integrity/ima/ima_policy.c#L618* + + If not granted *CAP_SETGID* rules regarding foreign *GID*s are not matched. + +- *security/landlock/syscalls.c#L413* + + If not granted *CAP_SYS_ADMIN* in its namespace enforcing a Landlock ruleset + running without *no_new_privs* is not permitted. + ---