Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753763AbdHKTdp (ORCPT <rfc822;w@1wt.eu>);
        Fri, 11 Aug 2017 15:33:45 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:51886 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753325AbdHKTdn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 11 Aug 2017 15:33:43 -0400
Subject: Re: [PATCH v6 3/6] seccomp: Sysctl to configure actions that are
 allowed to be logged
To: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
        Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
        John Crispin <john@phrozen.org>, Tycho Andersen <tycho@docker.com>,
        linux-audit@redhat.com, LKML <linux-kernel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>
References: <1502426037-3777-1-git-send-email-tyhicks@canonical.com>
 <1502426037-3777-4-git-send-email-tyhicks@canonical.com>
 <CAGXu5jJzboJ47tZH_BkeXTYgD_QyTpK4gXd8FTpcj-acO-F+VQ@mail.gmail.com>
From: Tyler Hicks <tyhicks@canonical.com>
Message-ID: <23a0adb0-4db0-52aa-831e-36ceca466636@canonical.com>
Date: Fri, 11 Aug 2017 14:33:35 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAGXu5jJzboJ47tZH_BkeXTYgD_QyTpK4gXd8FTpcj-acO-F+VQ@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="vf166FoOTicavmQ7pFME8SGwsd3V2ltXo"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4330
Lines: 117

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vf166FoOTicavmQ7pFME8SGwsd3V2ltXo
Content-Type: multipart/mixed; boundary="wIkJ8vvUXjaSd4TFvqA4hmj8xji8GPOSm";
 protected-headers="v1"
From: Tyler Hicks <tyhicks@canonical.com>
To: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
 Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
 John Crispin <john@phrozen.org>, Tycho Andersen <tycho@docker.com>,
 linux-audit@redhat.com, LKML <linux-kernel@vger.kernel.org>,
 Linux API <linux-api@vger.kernel.org>
Message-ID: <23a0adb0-4db0-52aa-831e-36ceca466636@canonical.com>
Subject: Re: [PATCH v6 3/6] seccomp: Sysctl to configure actions that are
 allowed to be logged
References: <1502426037-3777-1-git-send-email-tyhicks@canonical.com>
 <1502426037-3777-4-git-send-email-tyhicks@canonical.com>
 <CAGXu5jJzboJ47tZH_BkeXTYgD_QyTpK4gXd8FTpcj-acO-F+VQ@mail.gmail.com>
In-Reply-To: <CAGXu5jJzboJ47tZH_BkeXTYgD_QyTpK4gXd8FTpcj-acO-F+VQ@mail.gmail.com>

--wIkJ8vvUXjaSd4TFvqA4hmj8xji8GPOSm
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 08/11/2017 02:17 PM, Kees Cook wrote:
> On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhicks@canonical.com> wr=
ote:
>> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table,=
 int write,
>> +                                         void __user *buffer, size_t =
*lenp,
>> +                                         loff_t *ppos)
>> +{
>> +       char names[sizeof(seccomp_actions_avail)];
>> +       struct ctl_table table;
>> +       int ret;
>> +
>> +       if (write && !capable(CAP_SYS_ADMIN))
>> +               return -EPERM;
>> +
>> +       memset(names, 0, sizeof(names));
>> +
>> +       if (!write) {
>> +               if (!seccomp_names_from_actions_logged(names, sizeof(n=
ames),
>> +                                                      seccomp_actions=
_logged))
>> +                       return -EINVAL;
>> +       }
>> +
>> +       table =3D *ro_table;
>> +       table.data =3D names;
>> +       table.maxlen =3D sizeof(names);
>> +       ret =3D proc_dostring(&table, write, buffer, lenp, ppos);
>> +       if (ret)
>> +               return ret;
>> +
>> +       if (write) {
>> +               u32 actions_logged;
>> +
>> +               if (!seccomp_actions_logged_from_names(&actions_logged=
,
>> +                                                      table.data))
>> +                       return -EINVAL;
>> +
>> +               if (actions_logged & SECCOMP_LOG_ALLOW)
>> +                       return -EINVAL;
>> +
>> +               seccomp_actions_logged =3D actions_logged;
>> +       }
>> +
>> +       return 0;
>> +}
>=20
> One thought here: should "kill" be always forced on during a write?
> This flag effectively cannot be disabled, so listing it (or not) in
> the sysctl may be confusing...

"kill" can be silenced in the current implementation. Lets hammer out
whether or not that's the right thing to do and then we can discuss the
sysctl behavior on write. I don't personally have any concerns about an
admin being able to silence RET_KILL logs but let me know if you are
against it.

Tyler

>=20
> -Kees
>=20



--wIkJ8vvUXjaSd4TFvqA4hmj8xji8GPOSm--

--vf166FoOTicavmQ7pFME8SGwsd3V2ltXo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZjgaPAAoJENaSAD2qAscKs7gP/jtiAkgPVozx/AVZ705COp6Y
ugRLsXc6g3tIX3TM9ozFNaSq6SinFIIyG8B54QyB17O2NMKdCA26wm1Uk/ZPv4eO
zlay7LZSwFN6aymmNN3NF94TwaFBgZn7qYUZJIwbDItp3YWbOO4oD3JXXct1GU6D
HRwICU1lzrGy+2+J3xfIn/7lVI1IY2uHGDvMHPwy2hqtLPWNgDHqP+t2rTHrHLhW
E6yNiMWY9QDiKrOax0pVLyKLWsdNnSVuhFt3qLu8pW+ChlLnbnY4XGgRKc0iYPWz
Tb3zYXhEcK4bZT1FYe3IcIUlo3BYKv9M6cd4Ih5ooSR7ECsJwAOSOkzfdKKVNA8n
Dc3Azx34agOP9KZ7IWOHoYe9GYrTcRliznevfWmC79nbvsrJibTvpabX+9am8t70
8J2uQvEmJqKDLi1GEdgah4NdKW37J8gPTZNxfwNXM8b+HGd3AKmptwJ7Zsr6E4Dq
gXDM7gp++8SDAEdxzaCX9Kg4CohOmXTwGR5GF9i1bL7uHqZY8DN1a9n6HyttlaGg
ocofcFamL0mUjTPBh5GaAPM54HTtft56hoOiVKeWFi3nQGKsWVdfB1r4pk8w3Ipn
rZc3LffosD3TqwKxc/2378k/yir8uOP5XF5znP1KBZm0aHE/LcQIes5UpEtPkYYC
6pqsL6OvfHAaMYVeIxCx
=1d09
-----END PGP SIGNATURE-----

--vf166FoOTicavmQ7pFME8SGwsd3V2ltXo--