LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Tyler Hicks <tyhicks@canonical.com>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>, Paul Moore <paul@paul-moore.com>,
	Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>,
	Jonathan Corbet <corbet@lwn.net>,
	linux-audit@redhat.com, linux-security-module@vger.kernel.org,
	linux-doc@vger.kernel.org
Subject: [PATCH 0/3] Better integrate seccomp logging and auditing
Date: Fri, 27 Apr 2018 19:15:59 +0000	[thread overview]
Message-ID: <1524856562-22566-1-git-send-email-tyhicks@canonical.com> (raw)

Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Administrators can prevent specific actions from being logged using the
kernel.seccomp.actions_logged sysctl.

However, one corner case intentionally wasn't addressed in those v4.14 changes.
When a process is being inspected by the audit subsystem, seccomp's decision
making for logging ignores the new controls and unconditionally logs every
action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
many existing applications don't intend to log handled actions due to them
occurring very frequently. This amount of logging fills the audit logs without
providing many benefits now that application authors have fine grained controls
at their disposal.

This patch set aligns the seccomp logging behavior for both audited and
unaudited processes. It also emits an audit record, if auditing is enabled,
when the kernel.seccomp.actions_logged sysctl is written to so that there's a
paper trail when entire actions are quieted.

Tyler

             reply	other threads:[~2018-04-27 19:17 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-27 19:15 Tyler Hicks [this message]
2018-04-27 19:16 ` [PATCH 1/3] seccomp: Separate read and write code for actions_logged sysctl Tyler Hicks
2018-04-27 19:16 ` [PATCH 2/3] seccomp: Audit attempts to modify the " Tyler Hicks
2018-05-01 15:18   ` Paul Moore
2018-05-01 16:41     ` Steve Grubb
2018-05-01 17:25       ` Paul Moore
2018-05-02 15:58         ` Tyler Hicks
2018-04-27 19:16 ` [PATCH 3/3] seccomp: Don't special case audited processes when logging Tyler Hicks
2018-05-01 15:27   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1524856562-22566-1-git-send-email-tyhicks@canonical.com \
    --to=tyhicks@canonical.com \
    --cc=corbet@lwn.net \
    --cc=eparis@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=paul@paul-moore.com \
    --cc=sgrubb@redhat.com \
    --cc=wad@chromium.org \
    --subject='Re: [PATCH 0/3] Better integrate seccomp logging and auditing' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).