Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932818AbcDKNaX (ORCPT ); Mon, 11 Apr 2016 09:30:23 -0400 Received: from mail-ob0-f182.google.com ([209.85.214.182]:34748 "EHLO mail-ob0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932145AbcDKNaT (ORCPT ); Mon, 11 Apr 2016 09:30:19 -0400 MIME-Version: 1.0 X-Originating-IP: [108.49.39.189] In-Reply-To: <1460348008-27076-1-git-send-email-andi@firstfloor.org> References: <1460348008-27076-1-git-send-email-andi@firstfloor.org> Date: Mon, 11 Apr 2016 09:30:17 -0400 Message-ID: Subject: Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default From: Paul Moore To: Andi Kleen Cc: Eric Paris , linux-kernel@vger.kernel.org, Andi Kleen , linux-audit@redhat.com Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5527 Lines: 156 On Mon, Apr 11, 2016 at 12:13 AM, Andi Kleen wrote: > From: Andi Kleen > > When I run chrome on my opensuse system every time I open > a new tab the system log is spammed with: > > audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857 > comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e > syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000 > > This happens because chrome uses SECCOMP for its sandbox, > and for some reason always reaches a SECCOMP_KILL or more likely > SECCOMP_RET_ERRNO in the rule set. > > The seccomp auditing was originally added by Eric with > > commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31 > Author: Eric Paris > Date: Tue Jan 3 14:23:05 2012 -0500 > > seccomp: audit abnormal end to a process due to seccomp > > The audit system likes to collect information about processes that end > abnormally (SIGSEGV) as this may me useful intrusion detection information. > This patch adds audit support to collect information when seccomp > forces a task to exit because of misbehavior in a similar way. > > I don't have any other syscall auditing enabled, > just the standard user space auditing used by the systemd > and PAM userland. So basic auditing is alwas enabled, > but no other kernel auditing. > > Add a sysctl to enable this unconditional behavior with default > to off. This replaces an earlier patch that simply checked > whether syscall auditing was on, but Paul Moore preferred > this more elaborate approach. > > Signed-off-by: Andi Kleen > --- > Documentation/sysctl/kernel.txt | 9 +++++++++ > include/linux/audit.h | 4 +++- > kernel/seccomp.c | 4 ++++ > kernel/sysctl.c | 11 +++++++++++ > 4 files changed, 27 insertions(+), 1 deletion(-) Quick response as I'm traveling the next few days and time/connectivity will be spotty ... thanks for sending an updated patch, some initial thoughts: * My thinking was that the sysctl knob could be a threshold value such that setting it to 0x00030000 would only log TRAP and KILL. * With the sysctl tunable defaulting to no-logging there is no need to check for audit_enabled, further, checking for audit_enabled would prevent logging to dmesg/syslog which I believe is valuable (you may not). * A bit nitpicky, but considering the possibility of logging to dmesg/syslog when auditing is disabled, I think "seccomp-log-threshold" or similar would be a better sysctl name. > diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt > index 57653a4..abc6ef9 100644 > --- a/Documentation/sysctl/kernel.txt > +++ b/Documentation/sysctl/kernel.txt > @@ -21,6 +21,7 @@ show up in /proc/sys/kernel: > - acct > - acpi_video_flags > - auto_msgmni > +- audit_log_seccomp > - bootloader_type [ X86 only ] > - bootloader_version [ X86 only ] > - callhome [ S390 only ] > @@ -129,6 +130,14 @@ upon memory add/remove or upon ipc namespace creation/removal. > Echoing "1" into this file enabled msgmni automatic recomputing. > Echoing "0" turned it off. auto_msgmni default value was 1. > > +============================================================== > + > +audit_log_seccomp > + > +When this variable is set to 1 every SECCOMP_KILL/SECCOMP_RET_ERRNO > +results in an audit log. This is generally a bad idea because > +it leads to a audit message every time Chrome opens a new tab. > +Defaults to 0. > > ============================================================== > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index e38e3fc..c7787ba 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -315,9 +315,11 @@ static inline void audit_inode_child(struct inode *parent, > } > void audit_core_dumps(long signr); > > +extern int audit_log_seccomp; > + > static inline void audit_seccomp(unsigned long syscall, long signr, int code) > { > - if (!audit_enabled) > + if (!audit_enabled || !audit_log_seccomp) > return; > > /* Force a record to be reported if a signal was delivered. */ > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index e1e5a35..09a8b03 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -25,6 +25,10 @@ > #include > #endif > > +#ifdef CONFIG_AUDIT > +int audit_log_seccomp __read_mostly = 0; > +#endif > + > #ifdef CONFIG_SECCOMP_FILTER > #include > #include > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index 725587f..0c7611e 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -65,6 +65,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -529,6 +530,16 @@ static struct ctl_table kern_table[] = { > .proc_handler = proc_dointvec, > }, > #endif > +#ifdef CONFIG_AUDIT > + { > + .procname = "audit-log-seccomp", > + .data = &audit_log_seccomp, > + .maxlen = sizeof(int), > + .mode = 0644, > + .proc_handler = proc_dointvec, > + }, > + > +#endif > { > .procname = "print-fatal-signals", > .data = &print_fatal_signals, > -- > 2.7.4 > -- paul moore www.paul-moore.com