audit: fix incorrect inheritable capability in CAPSET records - kernel/linux.git

diff options

author	Sergio Correia <scorreia@redhat.com>	2026-05-12 16:28:33 +0300
committer	Paul Moore <paul@paul-moore.com>	2026-05-12 23:05:57 +0300
commit	e4a640475e43f406fdfd56d370b1f34b0cbbc18d (patch)
tree	8e4395b0f8002c0b30b81c7554b949f5ca67a246 /tools/lib/python/kdoc/parse_data_structs.py
parent	254f49634ee16a731174d2ae34bc50bd5f45e731 (diff)
download	linux-e4a640475e43f406fdfd56d370b1f34b0cbbc18d.tar.xz

audit: fix incorrect inheritable capability in CAPSET records

__audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable. This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail. The bug has been present since the original introduction of CAPSET audit records in 2008. Cc: stable@vger.kernel.org Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.") Reviewed-by: Ricardo Robaina <rrobaina@redhat.com> Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Sergio Correia <scorreia@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>

Diffstat (limited to 'tools/lib/python/kdoc/parse_data_structs.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: