From: Paul Moore <[email protected]>
To: Richard Guy Briggs <[email protected]>
Cc: Linux-Audit Mailing List <[email protected]>,
LKML <[email protected]>,
[email protected], Eric Paris <[email protected]>,
Steve Grubb <[email protected]>, Stefan Roesch <[email protected]>,
Christian Brauner <[email protected]>,
Jens Axboe <[email protected]>,
Pavel Begunkov <[email protected]>
Subject: Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR
Date: Fri, 27 Jan 2023 19:06:28 -0500 [thread overview]
Message-ID: <CAHC9VhSN+XSYGh0TBsCPftNvVNBN1JHugrrsp3gbF-in5S1PoA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
On Fri, Jan 27, 2023 at 6:01 PM Richard Guy Briggs <[email protected]> wrote:
> On 2023-01-27 17:43, Paul Moore wrote:
> > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs <[email protected]> wrote:
> > > Getting XATTRs is not particularly interesting security-wise.
> > >
> > > Suggested-by: Steve Grubb <[email protected]>
> > > Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
> > > Signed-off-by: Richard Guy Briggs <[email protected]>
> > > ---
> > > io_uring/opdef.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> >
> > Depending on your security policy, fetching file data, including
> > xattrs, can be interesting from a security perspective. As an
> > example, look at the SELinux file/getattr permission.
> >
> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/object_classes_permissions.md#common-file-permissions
>
> The intent here is to lessen the impact of audit operations. Read and
> Write were explicitly removed from io_uring auditing due to performance
> concerns coupled with the denial of service implications from sheer
> volume of records making other messages harder to locate. Those
> operations are still possible for syscall auditing but they are strongly
> discouraged for normal use.
We need to balance security needs and performance needs. You are
correct that general read() and write() operations are not audited,
and generally not checked from a LSM perspective as the auditing and
access control happens at open() time instead (access to fds is
revalidated when they are passed). However, in the case of getxattr
and fgetxattr, these are not normal file read operations, and do not
go through the same code path in the kernel; there is a reason why we
have xattr_permission() and security_inode_getxattr().
We need to continue to audit IORING_OP_FGETXATTR and IORING_OP_GETXATTR.
--
paul-moore.com
next prev parent reply other threads:[~2023-01-28 0:07 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 17:23 [PATCH v1 0/2] two suggested iouring op audit updates Richard Guy Briggs
2023-01-27 17:23 ` [PATCH v1 1/2] io_uring,audit: audit IORING_OP_FADVISE but not IORING_OP_MADVISE Richard Guy Briggs
2023-01-27 22:35 ` Paul Moore
2023-01-27 22:45 ` Jens Axboe
2023-01-27 22:57 ` Paul Moore
2023-01-28 16:48 ` Steve Grubb
2023-01-27 23:02 ` Richard Guy Briggs
2023-01-27 23:03 ` Jens Axboe
2023-01-27 23:08 ` Richard Guy Briggs
2023-01-27 22:55 ` Richard Guy Briggs
2023-01-27 23:05 ` Paul Moore
2023-01-27 17:23 ` [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR Richard Guy Briggs
2023-01-27 22:43 ` Paul Moore
2023-01-27 23:01 ` Richard Guy Briggs
2023-01-27 23:05 ` Jens Axboe
2023-01-28 0:07 ` Paul Moore
2023-01-28 0:06 ` Paul Moore [this message]
2023-01-28 0:19 ` Richard Guy Briggs
2023-01-28 17:26 ` Steve Grubb
2023-01-29 23:37 ` Paul Moore
2023-01-27 17:40 ` [PATCH v1 0/2] two suggested iouring op audit updates Jens Axboe
2023-01-27 19:42 ` Paul Moore
2023-01-27 19:43 ` Jens Axboe
2023-01-27 22:38 ` Paul Moore
2023-01-27 22:46 ` Jens Axboe
2023-01-27 22:53 ` Paul Moore
2023-01-27 23:02 ` Jens Axboe
2023-01-27 23:07 ` Richard Guy Briggs
2023-01-27 23:08 ` Paul Moore
2023-01-27 23:10 ` Jens Axboe
2023-01-28 16:47 ` Steve Grubb
2023-01-28 17:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSN+XSYGh0TBsCPftNvVNBN1JHugrrsp3gbF-in5S1PoA@mail.gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox