From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBA7BC433E0 for ; Tue, 2 Mar 2021 15:27:23 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 416E664F38 for ; Tue, 2 Mar 2021 15:27:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 416E664F38 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614698842; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=o61LnllXCbSr7kLKGk5y57RJ0TnBNgcJn38AZjjfAwE=; b=JzunDdA7benW8AHEqnOm/oJ/wGIDfgxCwMPQoFr3utiiFTE4fTlGkJqb7524lnNMU3j/sT OeFZ4t7cVTOogpSTz0sm2qQh9Qd1tIupXhTJuPNMI8A3EVYO75s6t1OjO6YIGoQ5Z4AYLr 9CMtih1RD58s958mISpdA/rtY85KMjo= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-460-EXLZSZuLNjOnxqJezF7z-w-1; Tue, 02 Mar 2021 10:27:20 -0500 X-MC-Unique: EXLZSZuLNjOnxqJezF7z-w-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 888EE107ACE3; Tue, 2 Mar 2021 15:27:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5227C1E2; Tue, 2 Mar 2021 15:27:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 56FAB4E58E; Tue, 2 Mar 2021 15:27:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 122FRDK9018252 for ; Tue, 2 Mar 2021 10:27:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id 84DA660C47; Tue, 2 Mar 2021 15:27:13 +0000 (UTC) Received: from x2.localnet (ovpn-116-197.rdu2.redhat.com [10.10.116.197]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3B03160C43; Tue, 2 Mar 2021 15:27:09 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Subject: Re: Getting the value of a syscall's memory address argument - setxattr Date: Tue, 02 Mar 2021 10:27:08 -0500 Message-ID: <3115317.aeNJFYEL58@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, On Friday, February 26, 2021 8:17:00 PM EST Alan Evangelista wrote: > Each syscall has some arguments and the Linux Audit framework logs each > pointer argument as a memory address instead of its values. For instance, > when tracking the setxattr syscall, I get its arguments in the following > format: > > "a0":"55f3604ba000" > "a1":"7f1b0bd342fd" > "a2":"55f3604d9b20" > "a3":"38" > > According to https://man7.org/linux/man-pages/man2/setxattr.2.html, a0 is > the file path's starting memory address, a1 is the extended attribute > name's starting memory address, a2 is the extended attribute > value's starting memory address and a3 is the size in bytes of the extended > attribute value. > > Is it safe to access those memory addresses in order to get their values? I > guess not because their content may have been overwritten between the time > the syscall log entry was generated by the kernel and the time it's > consumed by a Linux Audit client. If indeed it's unsafe to access these > memory addresses, is there any other way to get the extended attribute > name/value in the setxattr syscall using the Linux Audit framework? Now that you mention it, we should probably have a xattr record that records all those things. It is not safe to directly access those values, but it can be done after copy_from_user makes a safe to access copy. We have issue 39 which is supposed to capture arg 4, but I think it's scope should be expanded. https://github.com/linux-audit/audit-kernel/issues/39 -Steve > My specific use case: I'm using Auditbeat/Linux Audit to track permission > changes done to a disk partition which is mounted by Samba on a Windows > Server box. When a Windows user changes permissions of a file in the Samba > mount, Linux Audit records a setxattr event and Auditbeat (connected to the > kernel's Audit framework via netlink) notifies me of the event. I need to > know what permission changes the user has done in the file and AFAIK > parsing the ext attrib name/value is the only way to do that. > > Thanks in advance. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit