public inbox for [email protected]
 help / color / mirror / Atom feed
From: Paul Moore <[email protected]>
To: Jens Axboe <[email protected]>
Cc: Richard Guy Briggs <[email protected]>,
	LKML <[email protected]>,
	[email protected], Eric Paris <[email protected]>,
	Steve Grubb <[email protected]>, Stefan Roesch <[email protected]>,
	Christian Brauner <[email protected]>,
	Pavel Begunkov <[email protected]>
Subject: Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR
Date: Fri, 27 Jan 2023 19:07:17 -0500	[thread overview]
Message-ID: <CAHC9VhRCN9HHDkcp1xPJ7QwGq=_UG95ZCot9HRY7w5FCM2XtFg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>

On Fri, Jan 27, 2023 at 6:05 PM Jens Axboe <[email protected]> wrote:
> On 1/27/23 4:01 PM, Richard Guy Briggs wrote:
> > On 2023-01-27 17:43, Paul Moore wrote:
> >> On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs <[email protected]> wrote:
> >>> Getting XATTRs is not particularly interesting security-wise.
> >>>
> >>> Suggested-by: Steve Grubb <[email protected]>
> >>> Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
> >>> Signed-off-by: Richard Guy Briggs <[email protected]>
> >>> ---
> >>>  io_uring/opdef.c | 2 ++
> >>>  1 file changed, 2 insertions(+)
> >>
> >> Depending on your security policy, fetching file data, including
> >> xattrs, can be interesting from a security perspective.  As an
> >> example, look at the SELinux file/getattr permission.
> >>
> >> https://github.com/SELinuxProject/selinux-notebook/blob/main/src/object_classes_permissions.md#common-file-permissions
> >
> > The intent here is to lessen the impact of audit operations.  Read and
> > Write were explicitly removed from io_uring auditing due to performance
> > concerns coupled with the denial of service implications from sheer
> > volume of records making other messages harder to locate.  Those
> > operations are still possible for syscall auditing but they are strongly
> > discouraged for normal use.
> >
> > If the frequency of getxattr io_uring ops is so infrequent as to be no
> > distraction, then this patch may be more of a liability than a benefit.
>
> (audit list removed)
>
> Right now the xattr related functions are io-wq driven, and hence not
> super performance sensitive. But I'd greatly prefer to clean these up
> regardless, because once opcodes get upgraded from needing io-wq, then
> we don't have to go through the audit discussion at that point. Better
> to do it upfront, like now, regardless of expectation of frequency of
> calls.

See my reply to Richard, but unfortunately we need to continue to
audit the getxattr ops.

-- 
paul-moore.com

  reply	other threads:[~2023-01-28  0:07 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-27 17:23 [PATCH v1 0/2] two suggested iouring op audit updates Richard Guy Briggs
2023-01-27 17:23 ` [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE Richard Guy Briggs
2023-01-27 22:35   ` Paul Moore
2023-01-27 22:45     ` Jens Axboe
2023-01-27 22:57       ` Paul Moore
2023-01-28 16:48         ` Steve Grubb
2023-01-27 23:02       ` Richard Guy Briggs
2023-01-27 23:03         ` Jens Axboe
2023-01-27 23:08           ` Richard Guy Briggs
2023-01-27 22:55     ` Richard Guy Briggs
2023-01-27 23:05       ` Paul Moore
2023-01-27 17:23 ` [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR Richard Guy Briggs
2023-01-27 22:43   ` Paul Moore
2023-01-27 23:01     ` Richard Guy Briggs
2023-01-27 23:05       ` Jens Axboe
2023-01-28  0:07         ` Paul Moore [this message]
2023-01-28  0:06       ` Paul Moore
2023-01-28  0:19         ` Richard Guy Briggs
2023-01-28 17:26     ` Steve Grubb
2023-01-29 23:37       ` Paul Moore
2023-01-27 17:40 ` [PATCH v1 0/2] two suggested iouring op audit updates Jens Axboe
2023-01-27 19:42   ` Paul Moore
2023-01-27 19:43     ` Jens Axboe
2023-01-27 22:38       ` Paul Moore
2023-01-27 22:46         ` Jens Axboe
2023-01-27 22:53           ` Paul Moore
2023-01-27 23:02             ` Jens Axboe
2023-01-27 23:07               ` Richard Guy Briggs
2023-01-27 23:08               ` Paul Moore
2023-01-27 23:10                 ` Jens Axboe
2023-01-28 16:47             ` Steve Grubb
2023-01-28 17:03               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhRCN9HHDkcp1xPJ7QwGq=_UG95ZCot9HRY7w5FCM2XtFg@mail.gmail.com' \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox