audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard

Published 20 hours ago verified publisher icon linux-audit

RFE: *setxattr syscalls doesn't capture flags

Open stevegrubb opened this issue 7 years ago • 6 comments

The *setxattr syscalls take 5 arguments. One that is important is the fifth argument, flags. This denotes creation or replacement of the extended attribute. A similar situation occurred for mmap where an auxiliary record was created to capture a syscall argument. I think we should have an auxiliary record added for *setxattr syscalls just to state what the flags value is. It should be a 1 field record (like mmap's) simply stating the flag value numerically.

stevegrubb avatar Mar 25 '17 15:03 stevegrubb

I don't like the process of adding aux records in the case where we aren't recording enough of the syscall arguments. I was always afraid that not recording all of the syscall arguments was going to be problematic for reasons such as this.

I'm marking this as low priority as I want to think about this, this may be something we shelve until we rework the kernel/userspace API.

pcmoore avatar Mar 25 '17 15:03 pcmoore

For reference: http://man7.org/linux/man-pages/man2/setxattr.2.html

pcmoore avatar Mar 25 '17 15:03 pcmoore

The problem is we are not hooked in to the linux community where they run an ABI past the audit team to see if t meets our requirements. This is why important things wind up in structures or past the 4th argument. We have to veto those ideas or follow up with an auxiliary record.

stevegrubb avatar Mar 28 '17 04:03 stevegrubb

The problem is we are not hooked in to the linux community where they run an ABI past the audit team to see if t meets our requirements. This is why important things wind up in structures or past the 4th argument. We have to veto those ideas or follow up with an auxiliary record.

It is naive to expect that the we are always going to get notification about kernel ABI changes/updates, especially since most kernel developers actively dislike audit. From a practical point of view, we are much better off working on making the audit interfaces less prone to abuse, which means less reliance on assumptions and conventions for the in-kernel API (e.g. assuming that all interesting syscall arguments are contained in the first four arguments).

pcmoore avatar Mar 28 '17 15:03 pcmoore

Actually, only path, arg0, is captured by simply auditing setxattr. There should probably be a xattr record that captures the other arguments as they all seem security relevant given the syscall's main purpose. The name, value, and flags should be in that record.

stevegrubb avatar Mar 02 '21 15:03 stevegrubb

post v1 https://lore.kernel.org/r/604ceafd516b0785fea120f552d6336054d196af.1620414949.git.rgb@redhat.com

rgbriggs avatar May 07 '21 20:05 rgbriggs