From: Paul Moore <[email protected]>
To: Steve Grubb <[email protected]>
Cc: Richard Guy Briggs <[email protected]>,
Linux-Audit Mailing List <[email protected]>,
LKML <[email protected]>,
[email protected], Eric Paris <[email protected]>,
Stefan Roesch <[email protected]>,
Christian Brauner <[email protected]>,
Jens Axboe <[email protected]>,
Pavel Begunkov <[email protected]>
Subject: Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR
Date: Sun, 29 Jan 2023 18:37:46 -0500 [thread overview]
Message-ID: <CAHC9VhRXUe_RiTT1VqkA_Jv08MFCMvYytZkjKcf77EqyVLi-Tw@mail.gmail.com> (raw)
In-Reply-To: <13202484.uLZWGnKmhe@x2>
On Sat, Jan 28, 2023 at 12:26 PM Steve Grubb <[email protected]> wrote:
> On Friday, January 27, 2023 5:43:02 PM EST Paul Moore wrote:
> > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs <[email protected]> wrote:
> > > Getting XATTRs is not particularly interesting security-wise.
> > >
> > > Suggested-by: Steve Grubb <[email protected]>
> > > Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
> > > Signed-off-by: Richard Guy Briggs <[email protected]>
> > > ---
> > > io_uring/opdef.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> >
> > Depending on your security policy, fetching file data, including
> > xattrs, can be interesting from a security perspective. As an
> > example, look at the SELinux file/getattr permission.
> >
> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/object_cla
> > sses_permissions.md#common-file-permissions
>
> We're mostly interested in setting attributes because that changes policy.
> Reading them is not interesting unless the access fails with EPERM.
See my earlier comments, SELinux does have provisions for caring about
reading xattrs, and now that I look at the rest of the LSMs it looks
like Smack cares about reading xattrs too. Regardless of whether a
given security policy cares about xattr access, the LSMs support
enforcing access on reading xattrs so we need to ensure the audit is
setup properly in these cases.
> I was updating the user space piece recently and saw there was a bunch of
> "new" operations. I was commenting that we need to audit 5 or 6 of the "new"
> operations such as IORING_OP_MKDIRATor IORING_OP_SETXATTR. But now that I see
> the patch, it looks like they are auditable and we can just let a couple be
> skipped. IORING_OP_MADVISE is not interesting as it just gives hiints about
> the expected access patterns of memory. If there were an equivalent of
> mprotect, that would be of interest, but not madvise.
Once again, as discussed previously, it is likely that skipping
auditing for IORING_OP_MADVISE is okay, but given that several of the
changes in this patchset were incorrect, I'd like a little more
thorough investigation before we skip auditing on madvise.
> There are some I'm not sure about such as IORING_OP_MSG_RING and
> IORING_OP_URING_CMD. What do they do?
Look at 4f57f06ce218 ("io_uring: add support for IORING_OP_MSG_RING
command") for the patch which added IORING_OP_MSG_RING as it has a
decent commit description. As for IORING_OP_URING_CMD, there were
lengthy discussions about it on the mailing lists (including audit)
back in March 2022 and then later in August on the LSM, SELinux, etc.
mailing lists when we landed some patches for it (there were no audit
changes). I also covered the IORING_OP_URING_CMD, albeit briefly, in
a presentation at LSS-EU last year:
https://www.youtube.com/watch?v=AaaH6skUEI8
https://www.paul-moore.com/docs/2022-lss_eu-iouring_lsm-pcmoore-r3.pdf
--
paul-moore.com
next prev parent reply other threads:[~2023-01-29 23:38 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 17:23 [PATCH v1 0/2] two suggested iouring op audit updates Richard Guy Briggs
2023-01-27 17:23 ` [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE Richard Guy Briggs
2023-01-27 22:35 ` Paul Moore
2023-01-27 22:45 ` Jens Axboe
2023-01-27 22:57 ` Paul Moore
2023-01-28 16:48 ` Steve Grubb
2023-01-27 23:02 ` Richard Guy Briggs
2023-01-27 23:03 ` Jens Axboe
2023-01-27 23:08 ` Richard Guy Briggs
2023-01-27 22:55 ` Richard Guy Briggs
2023-01-27 23:05 ` Paul Moore
2023-01-27 17:23 ` [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR Richard Guy Briggs
2023-01-27 22:43 ` Paul Moore
2023-01-27 23:01 ` Richard Guy Briggs
2023-01-27 23:05 ` Jens Axboe
2023-01-28 0:07 ` Paul Moore
2023-01-28 0:06 ` Paul Moore
2023-01-28 0:19 ` Richard Guy Briggs
2023-01-28 17:26 ` Steve Grubb
2023-01-29 23:37 ` Paul Moore [this message]
2023-01-27 17:40 ` [PATCH v1 0/2] two suggested iouring op audit updates Jens Axboe
2023-01-27 19:42 ` Paul Moore
2023-01-27 19:43 ` Jens Axboe
2023-01-27 22:38 ` Paul Moore
2023-01-27 22:46 ` Jens Axboe
2023-01-27 22:53 ` Paul Moore
2023-01-27 23:02 ` Jens Axboe
2023-01-27 23:07 ` Richard Guy Briggs
2023-01-27 23:08 ` Paul Moore
2023-01-27 23:10 ` Jens Axboe
2023-01-28 16:47 ` Steve Grubb
2023-01-28 17:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhRXUe_RiTT1VqkA_Jv08MFCMvYytZkjKcf77EqyVLi-Tw@mail.gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox