Commit e4a64047 authored May 12, 2026 by Sergio Correia Committed by Paul Moore May 12, 2026

audit: fix incorrect inheritable capability in CAPSET records



__audit_log_capset() records the effective capability set into the
inheritable field due to a copy-paste error. Every CAPSET audit
record therefore reports cap_pi (process inheritable) with the value
of cap_effective instead of cap_inheritable.

This silently corrupts audit data used for compliance and forensic
analysis: an attacker who modifies inheritable capabilities to
prepare for a privilege-escalating exec would have the change masked
in the audit trail.

The bug has been present since the original introduction of CAPSET
audit records in 2008.

Cc: stable@vger.kernel.org
Fixes: e68b75a0 ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed.  This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.")
Reviewed-by: Ricardo Robaina <rrobaina@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 254f4963

kernel/auditsc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cred new, const struct cred old)

		context->capset.pid = task_tgid_nr(current);
		context->capset.cap.effective = new->cap_effective;
		context->capset.cap.inheritable = new->cap_effective;
		context->capset.cap.inheritable = new->cap_inheritable;
		context->capset.cap.permitted = new->cap_permitted;
		context->capset.cap.ambient = new->cap_ambient;
		context->type = AUDIT_CAPSET;