Received: by 10.192.165.148 with SMTP id m20csp2265060imm; Thu, 3 May 2018 13:19:20 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqqPVvEQcZhZIPJGe92GVzNRLMCddIOpIzuLnK2oYqE3A67HqWQ6jzg4tWN2rcCVMHoDNOU X-Received: by 2002:a63:6108:: with SMTP id v8-v6mr20249304pgb.245.1525378760262; Thu, 03 May 2018 13:19:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525378760; cv=none; d=google.com; s=arc-20160816; b=B/PA6iVDGszonh7m5ESDBi9ITAPVJaT9gWA0BqawqntDGd7Opp+HAdHU0EDmdw9kae FCuYPRkMg5V6LrsyqSIx8ohzXM92uSpYngyQlmsHdv94eeWR+mnClULZH1kuGVaAaYOD I9XDPp/ZUPR2kOqzHdK1WaKltgu1pYA9Eo9/gcGe/PiZNH4VFMB83gyXkcM37nwHOaB+ yI6PYyGAHKsGvDhl4TA8O2VBKGxIG1lBKtboD2/cFlm8yVic2RkCBJIsHxliSwDTSJb1 5eGSj/YUZjPTzZV9dSvQTpEfZ6KaROCBxFVZpD/mfUuq82LWvG53TWvxkdT6VEm22IYw xxBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ORiQ3ChPfRRIxH5esGvk4EB/87KiDhaQhhP9KRviRd0=; b=tTMw873IQEVrndzdqjPzDnxjT5NeYRbljf4Rt5LEZ+esm5geqryshvKu/2lnJK1yFe 20NAx48qbT+dafTlKIojrEhaz+yvdSNzBwmXO3w+R32d7GhhWNxXeCemeVKclilsT+vk 2vPSVtQUNFjTFsFO5nmS8i+zuJBJvtC2KEtXcjgL1aIAcDU/GmjFbTIU9QJiGYlTUSbn APrEn76GMOMI9OjPmEEoMov9JikQ4opbzN7ct84T5F7g1nJsQq3Q06raAcv0ppfz+vKg ZixK5RC2KSQQ0Y1OKsIqtVaf1EoF1kOgGZnjX+R1dXzFmL16/nCP+2/vWFOt/tTdtWBv kxmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=XfFaBCvE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3-v6si14087366plb.536.2018.05.03.13.18.41; Thu, 03 May 2018 13:19:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=XfFaBCvE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751272AbeECUSb (ORCPT + 99 others); Thu, 3 May 2018 16:18:31 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:38597 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751126AbeECUS3 (ORCPT ); Thu, 3 May 2018 16:18:29 -0400 Received: by mail-lf0-f65.google.com with SMTP id f18-v6so2195619lfc.5 for ; Thu, 03 May 2018 13:18:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ORiQ3ChPfRRIxH5esGvk4EB/87KiDhaQhhP9KRviRd0=; b=XfFaBCvE+qk4LQxPaZl4ba9p0lvD3AjpjjhxCNbswtBf6z/kylQ2LjjGrSut634WO7 rIFiH2oURjMYTNdar/sTbwCopLxHP7WCLWgyYb2nuKIhRmg+E5QDSnP/aTD40+CW+30L wpYqinLD59rfnfAOrvElXE1vyObWvbpLx2OeiEsoYoSynrSjqJW8CPprWbruVLFbTKPM bi1UJQjT8aZCEO7ylNU3HoFZUh2xSHjR7uFeivh93X2gKipy8Y7aYaGBYJlVq4wS5J1a dyq+vJY8LFPy1PSWNQ4F7FEub8oiIZuZm93h4UsUCmyCmftX6W5Ron85cspYVvBzzwtw 62WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ORiQ3ChPfRRIxH5esGvk4EB/87KiDhaQhhP9KRviRd0=; b=lQJIycmZ8V/uZ997KsmVU7TmdYGVWiAkc+bw8a9LYiNRn7pQxTyTfaWbIsIz8zgsMQ TvCDeU0ZOMuzI9Tzl4gh8KOe6EUgcRePnFqf0heP3J/DALssdWytr4IWQtiOePioupFV Q6WvBPxzVo8IuudLbH/F59CUjV5ujKJJ2vYoqB4VH8ttoCEVHcW+k4umWkMYxXP6wOs2 aKSu3uwVtaa9EOaYUnpOKhTjruVn6EB1BpNhHlk/6L+1aDCVMkJ9ljUaf+4vJKir33n4 VKHYzjT4F5RgEdR89I/PScIVO4Rsgb8ig3Gej2vwvxefjH0KzXdfHmEI8JTH6nj0UNUS y9Pg== X-Gm-Message-State: ALQs6tCpqMYtSITI3j5WRG9HWc8pvqRMjRFq4zP+CS1M4i8ZIhl8+bD3 3wumujyzogk2cY+zgFbFnaxuMLNjPfZ4feyR7d5Q X-Received: by 2002:a2e:8518:: with SMTP id j24-v6mr17981451lji.12.1525378707507; Thu, 03 May 2018 13:18:27 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:c78f:0:0:0:0:0 with HTTP; Thu, 3 May 2018 13:18:26 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <2193990.pCRMhOm3SD@x2> References: <1525276400-7161-1-git-send-email-tyhicks@canonical.com> <1525276400-7161-4-git-send-email-tyhicks@canonical.com> <2193990.pCRMhOm3SD@x2> From: Paul Moore Date: Thu, 3 May 2018 16:18:26 -0400 Message-ID: Subject: Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl To: Steve Grubb Cc: Tyler Hicks , linux-kernel@vger.kernel.org, Kees Cook , Andy Lutomirski , Will Drewry , Eric Paris , Jonathan Corbet , linux-audit@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wrote: > On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote: >> The decision to log a seccomp action will always be subject to the >> value of the kernel.seccomp.actions_logged sysctl, even for processes >> that are being inspected via the audit subsystem, in an upcoming patch. >> Therefore, we need to emit an audit record on attempts at writing to the >> actions_logged sysctl when auditing is enabled. >> >> This patch updates the write handler for the actions_logged sysctl to >> emit an audit record on attempts to write to the sysctl. Successful >> writes to the sysctl will result in a record that includes a normalized >> list of logged actions in the "actions" field and a "res" field equal to >> 0. Unsuccessful writes to the sysctl will result in a record that >> doesn't include the "actions" field and has a "res" field equal to 1. >> >> Not all unsuccessful writes to the sysctl are audited. For example, an >> audit record will not be emitted if an unprivileged process attempts to >> open the sysctl file for reading since that access control check is not >> part of the sysctl's write handler. >> >> Below are some example audit records when writing various strings to the >> actions_logged sysctl. >> >> Writing "not-a-real-action", when the kernel.seccomp.actions_logged >> sysctl previously was "kill_process kill_thread trap errno trace log", >> emits this audit record: >> >> type=CONFIG_CHANGE msg=audit(1525275273.537:130): op=seccomp-logging >> old-actions=kill_process,kill_thread,trap,errno,trace,log res=0 >> >> If you then write "kill_process kill_thread errno trace log", this audit >> record is emitted: >> >> type=CONFIG_CHANGE msg=audit(1525275310.208:136): op=seccomp-logging >> actions=kill_process,kill_thread,errno,trace,log >> old-actions=kill_process,kill_thread,trap,errno,trace,log res=1 >> >> If you then write the string "log log errno trace kill_process >> kill_thread", which is unordered and contains the log action twice, >> it results in the same actions value as the previous record: >> >> type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging >> actions=kill_process,kill_thread,errno,trace,log >> old-actions=kill_process,kill_thread,errno,trace,log res=1 >> >> No audit records are generated when reading the actions_logged sysctl. > > ACK for the format of the records. I just wanted to clarify the record format with you Steve ... the "actions" and "old-actions" fields may not be included in the record in cases where there is an error building the action value string, are you okay with that or would you prefer the fields to always be included but with a "?" for the value? -- paul moore www.paul-moore.com