Re: [PATCH] audit: fix incorrect inheritable capability in CAPSET records

Next message: Pasha Tatashin: "Re: [PATCH 2/5] liveupdate: Remove limit on the number of files per session"
Previous message: Bart Van Assche: "Re: [PATCH 2/2] ufs: ufshcd-pci: Use PCI_VDEVICE and named initializers for pci array"
In reply to: Sergio Correia: "[PATCH] audit: fix incorrect inheritable capability in CAPSET records"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Moore

Date: Tue May 12 2026 - 16:05:58 EST

On May 12, 2026 Sergio Correia <scorreia@xxxxxxxxxx> wrote:
>
> __audit_log_capset() records the effective capability set into the
> inheritable field due to a copy-paste error. Every CAPSET audit
> record therefore reports cap_pi (process inheritable) with the value
> of cap_effective instead of cap_inheritable.
>
> This silently corrupts audit data used for compliance and forensic
> analysis: an attacker who modifies inheritable capabilities to
> prepare for a privilege-escalating exec would have the change masked
> in the audit trail.
>
> The bug has been present since the original introduction of CAPSET
> audit records in 2008.
>
> Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
> Reviewed-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
> Assisted-by: Claude:claude-opus-4-6
> Signed-off-by: Sergio Correia <scorreia@xxxxxxxxxx>
> ---
> kernel/auditsc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Good work, thanks! I'm merging this into audit/stable-7.1 and will
send this up to Linus later this week.

--
paul-moore.com