1. Patchew
  2. linux
  3. View series

[PATCH] audit: fix incorrect inheritable capability in CAPSET records

Sergio Correia posted 1 patch 1 month ago 
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] audit: fix incorrect inheritable capability in CAPSET records
Posted by Sergio Correia 1 month ago 
__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.

This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.

The bug has been present since the original introduction of CAPSET
audit records in 2008.

Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed.  This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
 kernel/auditsc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ab54fccba215..abdf8da3be93 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cred *new, const struct cred *old)
 
 	context->capset.pid = task_tgid_nr(current);
 	context->capset.cap.effective   = new->cap_effective;
-	context->capset.cap.inheritable = new->cap_effective;
+	context->capset.cap.inheritable = new->cap_inheritable;
 	context->capset.cap.permitted   = new->cap_permitted;
 	context->capset.cap.ambient     = new->cap_ambient;
 	context->type = AUDIT_CAPSET;
-- 
2.54.0
Re: [PATCH] audit: fix incorrect inheritable capability in CAPSET records
Posted by Paul Moore 1 month ago 
On May 12, 2026 Sergio Correia <scorreia@redhat.com> wrote:
> 
> __audit_log_capset() records the effective capability set into the
> inheritable field due to a copy-paste error. Every CAPSET audit
> record therefore reports cap_pi (process inheritable) with the value
> of cap_effective instead of cap_inheritable.
> 
> This silently corrupts audit data used for compliance and forensic
> analysis: an attacker who modifies inheritable capabilities to
> prepare for a privilege-escalating exec would have the change masked
> in the audit trail.
> 
> The bug has been present since the original introduction of CAPSET
> audit records in 2008.
> 
> Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed.  This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
> Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
> Assisted-by: Claude:claude-opus-4-6
> Signed-off-by: Sergio Correia <scorreia@redhat.com>
> ---
>  kernel/auditsc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Good work, thanks!  I'm merging this into audit/stable-7.1 and will
send this up to Linus later this week.

--
paul-moore.com

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.