Re: [PATCH v1 2/2] io_uring,audit: do not log IORING_OP_*GETXATTR
On Fri, Jan 27, 2023 at 12:24 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Getting XATTRs is not particularly interesting security-wise.
Suggested-by: Steve Grubb <sgrubb(a)redhat.com>
Fixes: a56834e0fafe ("io_uring: add fgetxattr and getxattr support")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
io_uring/opdef.c | 2 ++
1 file changed, 2 insertions(+)
Depending on your security policy, fetching file data, including
xattrs, can be interesting from a security perspective. As an
example, look at the SELinux file/getattr permission.
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/object_c...
diff --git a/io_uring/opdef.c b/io_uring/opdef.c
index a2bf53b4a38a..f6bfe2cf078c 100644
--- a/io_uring/opdef.c
+++ b/io_uring/opdef.c
@@ -462,12 +462,14 @@ const struct io_op_def io_op_defs[] = {
},
[IORING_OP_FGETXATTR] = {
.needs_file = 1,
+ .audit_skip = 1,
.name = "FGETXATTR",
.prep = io_fgetxattr_prep,
.issue = io_fgetxattr,
.cleanup = io_xattr_cleanup,
},
[IORING_OP_GETXATTR] = {
+ .audit_skip = 1,
.name = "GETXATTR",
.prep = io_getxattr_prep,
.issue = io_getxattr,
--
2.27.0
--
paul-moore.com