From nobody Fri Jun 12 21:40:12 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED48337C917 for ; Tue, 12 May 2026 13:28:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778592532; cv=none; b=M0HkTqNVxY9jhHWPWy8mA5oUp1imDU04jmPlY61Ko90cWEFXNDO5+8a8PB+n8I0H+C/c84Lp5zk3iw1r9Z+DbylrbhM0G9Jykp2P/yK9k373JSRbptX5HNX3jD5gWO+oVK1VXzDuMSvfCVTUL+omPglosqHFA3EzwDQkh2HI8P0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778592532; c=relaxed/simple; bh=wV05HjV39evQntHLn5vEg/D3uJKZymKcIup65dVA9Hc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sebv9m9f951Uot4XrJFEFw3V5Lx69wEIjWrPJoqdbUWOZafX5HTqRRWTu2idTs8O254uLkN5aGDI/LAQVe5GALuRh2iNZ+96ZriNH2DHLdz93f2BMQKNdSF29p/flLMTb3+10grZxqwqVlzrGZj2wwiM3pUjiUQ/e6Pb+GrbDDw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=KiG+TyO/; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=FDv1vckn; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="KiG+TyO/"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="FDv1vckn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1778592529; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=G5qbU9ydLa2q0Fon5A8FvE5NNe2p30zXRxlDNHlo9Pc=; b=KiG+TyO/K55Q/XB8PCobtL5HSPKZ+ZbJwBStjOeEKERVKipAOTM4MRRsW2l6Mkdubfl3um srIPec1hJRO64oW473f8BTvzUTeZJ8jpazT4Bmo0ciKOz68bT//ntfS0BiV1tHzBQwOJ88 SZmfrfYM4SFJYSUtb8vOoIePeJRD79U= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-86-XEBIVcyAOnqieCQAtcwDTA-1; Tue, 12 May 2026 09:28:47 -0400 X-MC-Unique: XEBIVcyAOnqieCQAtcwDTA-1 X-Mimecast-MFC-AGG-ID: XEBIVcyAOnqieCQAtcwDTA_1778592527 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-4411a2c034fso5093731f8f.3 for ; Tue, 12 May 2026 06:28:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1778592526; x=1779197326; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=G5qbU9ydLa2q0Fon5A8FvE5NNe2p30zXRxlDNHlo9Pc=; b=FDv1vckn2Jgvz2cE8qED9BvvST8l8hAUEawPgy4SGxbo3gth5Zza2jqqU9JomAveoY wh6jgLCNRJy3mjr768xcGxvApAF7rO+hw2/Ebg8ICrQOX5zvUxP8AjKV7UAOEZzH6XBB KcYUKljaeuj/VNqUd0ZxnZA07EdVxz2GZf8rB9fM3ehKsELxq2lyuyDYiPl91ytEX01p 5yTuLB+mfOJjmJ759PzSZptckPKNamFG/n0qGAnPWYXbVihnqM5ECedjiaAzFCiT+IEc dsk/AHv92DWV+4aqmK9Hxn8FhrPl6tzjqhQobpkl4oYS/QNOvojVALruT7G04R4qsbnG c/ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778592526; x=1779197326; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=G5qbU9ydLa2q0Fon5A8FvE5NNe2p30zXRxlDNHlo9Pc=; b=SjBKikigazgKy+xT33Mm+ZxLR3gHg3Wd0jmfy64r8laJfdDn5QKT7jo9WPOeKes1Us CRz4WENoknFWhUndSAgeCrjAvMj5xM1GO+V5qHm3HLwMMVhE9MvdKNYoks0lhfVuwbbj yps6K5RzpnvDI2DZCiWxWaVXHOLV99Oj4JLLFYo9YLgwp/o0Imeend4MpvujfKgvcUGg 99bqqmL1TZBIxBDO1IQOlpn5Guvnzu7WWTWkn/SRdpNSCDIzCOGAXYQiHhkrQOm0R73z YdQCMXCDmNosqG74pXDpBx0VnamNQeE+7ondwIqcSKs3VMNO2qenXsLk7UQPSI7TaoI+ Uwvw== X-Forwarded-Encrypted: i=1; AFNElJ/SR3KUCYBtRX9PbkZ+veqdqVWfDMDL3vwiUa37RN5Gi5t8zvhwWRdSFyv0B9nv6Q7XSuOnCLnh7+5L1SY=@vger.kernel.org X-Gm-Message-State: AOJu0YyoBenFL5orjZ1wUVkcR4sbhNoyZV41ViR7aeEpw6cermHeOOZA 0tCgcp3KIKPmFQ3wZ/CLGnCzVN0nFSCs/nWjqpiMvexAGINMutvut9zYbLDfcA831hCQhtp3uoX WRuy+vBZVTrxHRqJhkgMuHBqfJahOaJ9OLIqmMhKgbqRPZi2bNKjiehhI0JAb+j+xAS0O5sdi/G p8 X-Gm-Gg: Acq92OFgoEZFyQiX6V7q9AyQqCVpZxp/cy3v549eck+W40u9wlc/5RKGWCQ1rZ8m5ge 9mwvmli5ZwxktnYEDz50msjT0oUDTwBE56OJ5Ljd6zn9YGbmkuL38WdQ71ndUFNxjUcbL2oe9LW O/JUC58ei0l4WUWde5Tq5VNIzt2mVZC+wmbNgDIhgMi/J6F9gWtJqSi29M7uI8nwdhJPsFsLsmb NsIsRrP3NfUwWYKsrn9hYNaJetnacs1ZhoIjiBLnM30iuhU+AlU1mr1jlcixF7OwAazcE70Kmha T+efFaP1QQMnZM3zBTMR5rXcheL+aQ9X8p/scXDXRzOft4a9+q/pAVNLAs4Jv+Jg8mSOLMvb7EW 6NjUmNldX8P30btQa5KQn0nFUj5b7Y99yh94WrX2dqI6CCyNYNpfBZEuKAVarUw74kJfAcDUvBE 4= X-Received: by 2002:a05:6000:144f:b0:43c:f1a5:56f6 with SMTP id ffacd0b85a97d-45b1547c783mr4431987f8f.43.1778592525935; Tue, 12 May 2026 06:28:45 -0700 (PDT) X-Received: by 2002:a05:6000:144f:b0:43c:f1a5:56f6 with SMTP id ffacd0b85a97d-45b1547c783mr4431948f8f.43.1778592525548; Tue, 12 May 2026 06:28:45 -0700 (PDT) Received: from localhost (bl15-153-58.dsl.telepac.pt. [188.80.153.58]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4548bb51d40sm31816958f8f.0.2026.05.12.06.28.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:28:45 -0700 (PDT) From: Sergio Correia To: audit@vger.kernel.org, linux-kernel@vger.kernel.org Cc: paul@paul-moore.com, eparis@redhat.com, sergeh@kernel.org, jmorris@namei.org, rrobaina@redhat.com, Sergio Correia Subject: [PATCH] audit: fix incorrect inheritable capability in CAPSET records Date: Tue, 12 May 2026 14:28:33 +0100 Message-ID: <20260512132833.1304542-1-scorreia@redhat.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __audit_log_capset() records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cap_pi (process inheritable) with the value of cap_effective instead of cap_inheritable. This silently corrupts audit data used for compliance and forensic analysis: an attacker who modifies inheritable capabilities to prepare for a privilege-escalating exec would have the change masked in the audit trail. The bug has been present since the original introduction of CAPSET audit records in 2008. Fixes: e68b75a027bb ("When the capset syscall is used it is not possible fo= r audit to record the actual capbilities being added/removed. This patch a= dds a new record type which emits the target pid and the eff, inh, and perm= cap sets.") Reviewed-by: Ricardo Robaina Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Sergio Correia --- kernel/auditsc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ab54fccba215..abdf8da3be93 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cred *new, const= struct cred *old) =20 context->capset.pid =3D task_tgid_nr(current); context->capset.cap.effective =3D new->cap_effective; - context->capset.cap.inheritable =3D new->cap_effective; + context->capset.cap.inheritable =3D new->cap_inheritable; context->capset.cap.permitted =3D new->cap_permitted; context->capset.cap.ambient =3D new->cap_ambient; context->type =3D AUDIT_CAPSET; --=20 2.54.0