From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Getting the value of a syscall's memory address argument - setxattr
Date: Tue, 02 Mar 2021 10:27:08 -0500 [thread overview]
Message-ID: <3115317.aeNJFYEL58@x2> (raw)
In-Reply-To: <CAKz+TUu1M06h_6q=AvNqhf3aiXAJTZZfsmL9aJnvS5BygAqu9Q@mail.gmail.com>
Hello,
On Friday, February 26, 2021 8:17:00 PM EST Alan Evangelista wrote:
> Each syscall has some arguments and the Linux Audit framework logs each
> pointer argument as a memory address instead of its values. For instance,
> when tracking the setxattr syscall, I get its arguments in the following
> format:
>
> "a0":"55f3604ba000"
> "a1":"7f1b0bd342fd"
> "a2":"55f3604d9b20"
> "a3":"38"
>
> According to https://man7.org/linux/man-pages/man2/setxattr.2.html, a0 is
> the file path's starting memory address, a1 is the extended attribute
> name's starting memory address, a2 is the extended attribute
> value's starting memory address and a3 is the size in bytes of the extended
> attribute value.
>
> Is it safe to access those memory addresses in order to get their values? I
> guess not because their content may have been overwritten between the time
> the syscall log entry was generated by the kernel and the time it's
> consumed by a Linux Audit client. If indeed it's unsafe to access these
> memory addresses, is there any other way to get the extended attribute
> name/value in the setxattr syscall using the Linux Audit framework?
Now that you mention it, we should probably have a xattr record that records
all those things. It is not safe to directly access those values, but it can
be done after copy_from_user makes a safe to access copy. We have issue 39
which is supposed to capture arg 4, but I think it's scope should be
expanded.
https://github.com/linux-audit/audit-kernel/issues/39
-Steve
> My specific use case: I'm using Auditbeat/Linux Audit to track permission
> changes done to a disk partition which is mounted by Samba on a Windows
> Server box. When a Windows user changes permissions of a file in the Samba
> mount, Linux Audit records a setxattr event and Auditbeat (connected to the
> kernel's Audit framework via netlink) notifies me of the event. I need to
> know what permission changes the user has done in the file and AFAIK
> parsing the ext attrib name/value is the only way to do that.
>
> Thanks in advance.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2021-03-02 15:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-27 1:17 Getting the value of a syscall's memory address argument - setxattr Alan Evangelista
2021-02-27 21:44 ` Richard Guy Briggs
2021-03-01 10:24 ` Alan Evangelista
2021-03-02 16:55 ` Richard Guy Briggs
2021-03-02 15:27 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3115317.aeNJFYEL58@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.