LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 0/3] Better integrate seccomp logging and auditing
@ 2018-04-27 19:15 Tyler Hicks
  2018-04-27 19:16 ` [PATCH 1/3] seccomp: Separate read and write code for actions_logged sysctl Tyler Hicks
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Tyler Hicks @ 2018-04-27 19:15 UTC (permalink / raw)
  To: linux-kernel
  Cc: Kees Cook, Andy Lutomirski, Will Drewry, Paul Moore, Eric Paris,
	Steve Grubb, Jonathan Corbet, linux-audit, linux-security-module,
	linux-doc

Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Administrators can prevent specific actions from being logged using the
kernel.seccomp.actions_logged sysctl.

However, one corner case intentionally wasn't addressed in those v4.14 changes.
When a process is being inspected by the audit subsystem, seccomp's decision
making for logging ignores the new controls and unconditionally logs every
action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
many existing applications don't intend to log handled actions due to them
occurring very frequently. This amount of logging fills the audit logs without
providing many benefits now that application authors have fine grained controls
at their disposal.

This patch set aligns the seccomp logging behavior for both audited and
unaudited processes. It also emits an audit record, if auditing is enabled,
when the kernel.seccomp.actions_logged sysctl is written to so that there's a
paper trail when entire actions are quieted.

Tyler

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2018-05-02 15:59 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-27 19:15 [PATCH 0/3] Better integrate seccomp logging and auditing Tyler Hicks
2018-04-27 19:16 ` [PATCH 1/3] seccomp: Separate read and write code for actions_logged sysctl Tyler Hicks
2018-04-27 19:16 ` [PATCH 2/3] seccomp: Audit attempts to modify the " Tyler Hicks
2018-05-01 15:18   ` Paul Moore
2018-05-01 16:41     ` Steve Grubb
2018-05-01 17:25       ` Paul Moore
2018-05-02 15:58         ` Tyler Hicks
2018-04-27 19:16 ` [PATCH 3/3] seccomp: Don't special case audited processes when logging Tyler Hicks
2018-05-01 15:27   ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).