Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR

From: Richard Guy Briggs
Date: Fri Jan 27 2023 - 19:22:39 EST

Next message: Kees Cook: "Re: [PATCH] scripts/dtc: Replace 0-length arrays with flexible arrays"
Previous message: Tejun Heo: "[PATCH 30/30] sched_ext: Add a rust userspace hybrid example scheduler"
In reply to: Paul Moore: "Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR"
Next in thread: Steve Grubb: "Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023-01-27 19:06, Paul Moore wrote:
> On Fri, Jan 27, 2023 at 6:01 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > On 2023-01-27 17:43, Paul Moore wrote:
> > > On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > > > Getting XATTRs is not particularly interesting security-wise.
> > > >
> > > > Suggested-by: Steve Grubb <sgrubb@xxxxxxxxxx>
> > > > Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
> > > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > > > ---
> > > > io_uring/opdef.c | 2 ++
> > > > 1 file changed, 2 insertions(+)
> > >
> > > Depending on your security policy, fetching file data, including
> > > xattrs, can be interesting from a security perspective. As an
> > > example, look at the SELinux file/getattr permission.
> > >
> > > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/object_classes_permissions.md#common-file-permissions
> >
> > The intent here is to lessen the impact of audit operations. Read and
> > Write were explicitly removed from io_uring auditing due to performance
> > concerns coupled with the denial of service implications from sheer
> > volume of records making other messages harder to locate. Those
> > operations are still possible for syscall auditing but they are strongly
> > discouraged for normal use.
>
> We need to balance security needs and performance needs. You are
> correct that general read() and write() operations are not audited,
> and generally not checked from a LSM perspective as the auditing and
> access control happens at open() time instead (access to fds is
> revalidated when they are passed). However, in the case of getxattr
> and fgetxattr, these are not normal file read operations, and do not
> go through the same code path in the kernel; there is a reason why we
> have xattr_permission() and security_inode_getxattr().
>
> We need to continue to audit IORING_OP_FGETXATTR and IORING_OP_GETXATTR.

Fair enough. This would be similar reasoning to send/recv vs
sendmsg/recvmsg. I'll drop this patch. Thanks for the reasoning and
feedback.

> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Next message: Kees Cook: "Re: [PATCH] scripts/dtc: Replace 0-length arrays with flexible arrays"
Previous message: Tejun Heo: "[PATCH 30/30] sched_ext: Add a rust userspace hybrid example scheduler"
In reply to: Paul Moore: "Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR"
Next in thread: Steve Grubb: "Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]