linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

Q: pervasive security.capability xattr reads #150

Closed hanwen closed 1 year ago

hanwen commented 1 year ago

Hi there.

I work at Google, and I'm troubleshooting a performance problem. We have a number of FUSE file systems used for development (eg. serving source code), and we have an auditd configuration so the security team can keep tabs on nefarious activity.

We see that the audit subsystem generates copious xattr reads for "security.capability". For FUSE, those xattr reads are passed back into userspace, which creates an extra context switch and hampers performance. In our case, the FUSE filesystems universally reply ENODATA to these reads.

I was wondering why is the audit system reading "security.capability" even for objects such as a non-executable files and directories? For these objects, the xattr has no meaning.

I would think that in this function, https://elixir.bootlin.com/linux/latest/source/security/commoncap.c#L654 could do the xattr read if the filetype is S_IFREG and if there is an executable bit on the file, to curb the amount of traffic. Or do you rather think that this should be handled in the FUSE driver?

thanks!

pcmoore commented 1 year ago

Hi there.

Hi.

I work at Google, and I'm troubleshooting a performance problem. We have a number of FUSE file systems used for development (eg. serving source code), and we have an auditd configuration so the security team can keep tabs on nefarious activity.

We see that the audit subsystem generates copious xattr reads for "security.capability". For FUSE, those xattr reads are passed back into userspace, which creates an extra context switch and hampers performance. In our case, the FUSE filesystems universally reply ENODATA to these reads.

I was wondering why is the audit system reading "security.capability" even for objects such as a non-executable files and directories? For these objects, the xattr has no meaning.

You would need to profile/trace your specific solution to know for certain, but my guess is that this is simply due to the normal audit data collection on file operations. As an example, look at both what audit_inode() does as well as where it is called.

I would think that in this function, https://elixir.bootlin.com/linux/latest/source/security/commoncap.c#L654 could do the xattr read if the filetype is S_IFREG and if there is an executable bit on the file, to curb the amount of traffic. Or do you rather think that this should be handled in the FUSE driver?

Technical discussions such as this should be handled on the audit kernel mailing list, info below:

pcmoore commented 1 year ago

Closing in favor of the upstream mailing list thread: