Linux-audit Archive on
 help / color / Atom feed
From: Alan Evangelista <>
Subject: Getting the value of a syscall's memory address argument - setxattr
Date: Fri, 26 Feb 2021 22:17:00 -0300
Message-ID: <> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 1551 bytes --]

Each syscall has some arguments and the Linux Audit framework logs each
pointer argument as a memory address instead of its values. For instance,
when tracking the setxattr syscall, I get its arguments in the following


According to, a0 is
the file path's starting memory address, a1 is the extended attribute
name's starting memory address, a2 is the extended attribute
value's starting memory address and a3 is the size in bytes of the extended
attribute value.

Is it safe to access those memory addresses in order to get their values? I
guess not because their content may have been overwritten between the time
the syscall log entry was generated by the kernel and the time it's
consumed by a Linux Audit client. If indeed it's unsafe to access these
memory addresses, is there any other way to get the extended attribute
name/value in the setxattr syscall using the Linux Audit framework?

My specific use case: I'm using Auditbeat/Linux Audit to track permission
changes done to a disk partition which is mounted by Samba on a Windows
Server box. When a Windows user changes permissions of a file in the Samba
mount, Linux Audit records a setxattr event and Auditbeat (connected to the
kernel's Audit framework via netlink) notifies me of the event. I need to
know what permission changes the user has done in the file and AFAIK
parsing the ext attrib name/value is the only way to do that.

Thanks in advance.

[-- Attachment #1.2: Type: text/html, Size: 1924 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

Linux-audit mailing list

             reply index

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-27  1:17 Alan Evangelista [this message]
2021-02-27 21:44 ` Richard Guy Briggs
2021-03-01 10:24   ` Alan Evangelista
2021-03-02 16:55     ` Richard Guy Briggs
2021-03-02 15:27 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-audit Archive on

Archives are clonable:
	git clone --mirror linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ \
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone