On Tue, May 11, 2021 at 10:00 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 5/10/2021 6:28 PM, Paul Moore wrote: > > On Mon, May 10, 2021 at 8:37 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > >> On 5/10/2021 4:52 PM, Paul Moore wrote: > >>> On Mon, May 10, 2021 at 12:30 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > >>>> On 5/7/2021 6:54 PM, Richard Guy Briggs wrote: > >>>>> On 2021-05-07 14:03, Casey Schaufler wrote: > >>>>>> On 5/7/2021 12:55 PM, Richard Guy Briggs wrote: > >>>>>>> The *setxattr syscalls take 5 arguments. The SYSCALL record only lists > >>>>>>> four arguments and only lists pointers of string values. The xattr name > >>>>>>> string, value string and flags (5th arg) are needed by audit given the > >>>>>>> syscall's main purpose. > >>>>>>> > >>>>>>> Add the auxiliary record AUDIT_XATTR (1336) to record the details not > >>>>>>> available in the SYSCALL record including the name string, value string > >>>>>>> and flags. > >>>>>>> > >>>>>>> Notes about field names: > >>>>>>> - name is too generic, use xattr precedent from ima > >>>>>>> - val is already generic value field name > >>>>>>> - flags used by mmap, xflags new name > >>>>>>> > >>>>>>> Sample event with new record: > >>>>>>> type=PROCTITLE msg=audit(05/07/2021 12:58:42.176:189) : proctitle=filecap /tmp/ls dac_override > >>>>>>> type=PATH msg=audit(05/07/2021 12:58:42.176:189) : item=0 name=(null) inode=25 dev=00:1e mode=file,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 > >>>>>>> type=CWD msg=audit(05/07/2021 12:58:42.176:189) : cwd=/root > >>>>>>> type=XATTR msg=audit(05/07/2021 12:58:42.176:189) : xattr="security.capability" val=01 xflags=0x0 > >>>>>> Would it be sensible to break out the namespace from the attribute? > >>>>>> > >>>>>> attrspace="security" attrname="capability" > >>>>> Do xattrs always follow this nomenclature? Or only the ones we care > >>>>> about? > >>>> Xattrs always have a namespace (man 7 xattr) of "user", "trusted", > >>>> "system" or "security". It's possible that additional namespaces will > >>>> be created in the future, although it seems unlikely given that only > >>>> "security" is widely used today. > >>> Why should audit care about separating the name into two distinct > >>> fields, e.g. "attrspace" and "attrname", instead of just a single > >>> "xattr" field with a value that follows the "namespace.attribute" > >>> format that is commonly seen by userspace? > >> I asked if it would be sensible. I don't much care myself. > > I was *asking* a question - why would we want separate fields? I > > guess I thought there might be some reason for asking if it was > > sensible; if not, I think I'd rather see it as a single field. > > I thought that it might make searching records easier, but I'm > not the expert on that. One might filter on attrspace=security then > look at the attrname values. But that bikeshed can be either color. Yeah, understood. My concern was that the xattr name (minus the namespace) by itself isn't really useful; similar argument with just the namespace. If you are going to do a string match filter it really shouldn't matter too much either way. -- paul moore www.paul-moore.com
