Re: [PATCH V1] audit: log xattr args not covered by syscall record

[Paul Moore]

On Tue, May 11, 2021 at 10:00 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> On 5/10/2021 6:28 PM, Paul Moore wrote:
> > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> >> On 5/10/2021 4:52 PM, Paul Moore wrote:
> >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> >>>> On 5/7/2021 6:54 PM, Richard Guy Briggs wrote:
> >>>>> On 2021-05-07 14:03, Casey Schaufler wrote:
> >>>>>> On 5/7/2021 12:55 PM, Richard Guy Briggs wrote:
> >>>>>>> The *setxattr syscalls take 5 arguments.  The SYSCALL record only lists
> >>>>>>> four arguments and only lists pointers of string values.  The xattr name
> >>>>>>> string, value string and flags (5th arg) are needed by audit given the
> >>>>>>> syscall's main purpose.
> >>>>>>>
> >>>>>>> Add the auxiliary record AUDIT_XATTR (1336) to record the details not
> >>>>>>> available in the SYSCALL record including the name string, value string
> >>>>>>> and flags.
> >>>>>>>
> >>>>>>> Notes about field names:
> >>>>>>> - name is too generic, use xattr precedent from ima
> >>>>>>> - val is already generic value field name
> >>>>>>> - flags used by mmap, xflags new name
> >>>>>>>
> >>>>>>> Sample event with new record:
> >>>>>>> type=PROCTITLE msg=audit(05/07/2021 12:58:42.176:189) : proctitle=filecap /tmp/ls dac_override
> >>>>>>> type=PATH msg=audit(05/07/2021 12:58:42.176:189) : item=0 name=(null) inode=25 dev=00:1e mode=file,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> >>>>>>> type=CWD msg=audit(05/07/2021 12:58:42.176:189) : cwd=/root
> >>>>>>> type=XATTR msg=audit(05/07/2021 12:58:42.176:189) : xattr="security.capability" val=01 xflags=0x0
> >>>>>> Would it be sensible to break out the namespace from the attribute?
> >>>>>>
> >>>>>>      attrspace="security" attrname="capability"
> >>>>> Do xattrs always follow this nomenclature?  Or only the ones we care
> >>>>> about?
> >>>> Xattrs always have a namespace (man 7 xattr) of "user", "trusted",
> >>>> "system" or "security". It's possible that additional namespaces will
> >>>> be created in the future, although it seems unlikely given that only
> >>>> "security" is widely used today.
> >>> Why should audit care about separating the name into two distinct
> >>> fields, e.g. "attrspace" and "attrname", instead of just a single
> >>> "xattr" field with a value that follows the "namespace.attribute"
> >>> format that is commonly seen by userspace?
> >> I asked if it would be sensible. I don't much care myself.
> > I was *asking* a question - why would we want separate fields?  I
> > guess I thought there might be some reason for asking if it was
> > sensible; if not, I think I'd rather see it as a single field.
>
> I thought that it might make searching records easier, but I'm
> not the expert on that. One might filter on attrspace=security then
> look at the attrname values. But that bikeshed can be either color.

Yeah, understood.  My concern was that the xattr name (minus the
namespace) by itself isn't really useful; similar argument with just
the namespace.  If you are going to do a string match filter it really
shouldn't matter too much either way.

-- 
paul moore
www.paul-moore.com