Received: by 10.192.165.148 with SMTP id m20csp9658imm; Thu, 3 May 2018 13:50:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq0ZtUait1JCsYLnc0tw15S4dGnLx0ss4eWJ5zHCTGCZ8VyrfTegbL5OF82AhoKBburhKtT X-Received: by 2002:a17:902:8343:: with SMTP id z3-v6mr25382543pln.71.1525380625811; Thu, 03 May 2018 13:50:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525380625; cv=none; d=google.com; s=arc-20160816; b=nkbp+EbjnPZ1BZN1jAjF4JK8EijxdEY2Eyw3Ns3PssezKrvIjVtp4hmZAkldswn6mV 7gIborz/aVVzTbbRLYFCgowOsNDU4PeQq9kPwh9JO3K8W4oYuI92fvxWLbnRdi9VX8b7 qET+cmwrLiDbkEoOQnEig++tHDLtHAKTRnS1iZAKJgeaBDQEwcQDNYcf/z2oHRCQawHk wBPInwA/SefYp/oYrEB/7TIYsoCOKiNojA0KqfSeILrwUxB0pKidmyGvyZdsZZCX6nOR V1zxtKEt6jjZ1c+QCDMbMhCinmfwwhC1fttYwjZvDGagq7tNWkFDWDhWPdNRhGQe6gh7 9QdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=gf6rEG65iq8aF4/6tNY3I3i+vBNOIcFPIhMuq0xJrgU=; b=WFkjkMr3njWGXry4gVVkA2xOBfJsjRUqNCeWd/TOry+DtFyg5OF17rqOjEhPS1AIor n0FyYhyT4k7m9yGN0csGG+RsTD6szDFwG2HBDMnuzZB8XCMDvKowB5+PT2Og0z92wv9v GHaCjgdMQOL1EknFhQjy+xox6Cb1UEf9jq0gWLwvteGaMBmviXjQF0/ys4Chuo/sHJCF Q2xii9SXdClbSen+swI2l+UfarRGB9IzYe6P6P+PgteKUIzDdNeBsm41VlRaLI+S4MJ9 fzvZoETzH6nP+7SurazAdNBLtSIGbjQBsuNvxOb8AKrvAVm1raeCFQfIRmOqoQwZhxkb 24HA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ieEuCWNr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k4-v6si11694697pgq.683.2018.05.03.13.50.10; Thu, 03 May 2018 13:50:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ieEuCWNr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751316AbeECUsO (ORCPT + 99 others); Thu, 3 May 2018 16:48:14 -0400 Received: from mail-lf0-f68.google.com ([209.85.215.68]:45614 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751126AbeECUsM (ORCPT ); Thu, 3 May 2018 16:48:12 -0400 Received: by mail-lf0-f68.google.com with SMTP id y14-v6so27577045lfy.12 for ; Thu, 03 May 2018 13:48:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gf6rEG65iq8aF4/6tNY3I3i+vBNOIcFPIhMuq0xJrgU=; b=ieEuCWNrboX6ks3pN+FcUzgHhqGkarKRKCV7ngIt+pMDwD62rPp61bKqWlKO89tXCD 4hCPs1gxA1i8f0b+QQ8BtHLTcpxTwFvKQI8WNbPtkU63GacIuxuLWdW5O319OwB1W7U8 /g2WOpagJMrzbYdoC2VcWiYZRlQ6DeueVh2Q1GxN/Fxcbrg7U5W1pGMxgeIWOODYZEeZ VJuWA9nF+BTX1KVGMOs+iE3o5ddqwVGmPFZh0WtDymDt08plDfT8P016yiemLKO80sYk bydh/IHUmBCgqyJJaRTwlXyuoIrcqoQbi7P+DDzgS80G7gnevFr3KlNQ9gfJmHBjIj6t 0xvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gf6rEG65iq8aF4/6tNY3I3i+vBNOIcFPIhMuq0xJrgU=; b=QvATDzkHppqocaZVuLow62rKZB8yulZLXVh30xPAAfU39xsn+HmwftlnuX1vTpVP6E IPtJbv9DOJChAHJWZW0uqdtcdyLc3SUZLNMb0bNDWUffO0c2Xu2ngvTekqt1MYKAoame HZc9l0CTYiIk9ZlTU7ZTy9tjkqGRCeGnWyERbzrbKJTPymmY45IzXj7pa+kadQuHGdpp Da4wKZ2cXU66BJqAorvdNdfw86hxntfbzRQ5wiq5R65+vPegvfBJscPfeXqBGs8V2ZWh lkr9+e2U/f06jnULu5PVdCbfrLAzdE7k0FNvONma+86Qo7pY/3hoxc2eCIwcysXzv0ul jELw== X-Gm-Message-State: ALQs6tB5fPEqjxg6D/F08C1wJi8yGhnSHS8czeSrcyTAf/Zmh/p3o2Xk nhe0v4iSA3Wi3dMh+s5hof9wTBIc3G5FewvqFGyd X-Received: by 2002:a2e:8246:: with SMTP id j6-v6mr7911754ljh.72.1525380490243; Thu, 03 May 2018 13:48:10 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:c78f:0:0:0:0:0 with HTTP; Thu, 3 May 2018 13:48:09 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <3241732.94y415NZZK@x2> References: <1525276400-7161-1-git-send-email-tyhicks@canonical.com> <2193990.pCRMhOm3SD@x2> <3241732.94y415NZZK@x2> From: Paul Moore Date: Thu, 3 May 2018 16:48:09 -0400 Message-ID: Subject: Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl To: Steve Grubb , Tyler Hicks Cc: linux-kernel@vger.kernel.org, Kees Cook , Andy Lutomirski , Will Drewry , Eric Paris , Jonathan Corbet , linux-audit@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote: > On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote: >> On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wrote: >> > On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote: >> >> The decision to log a seccomp action will always be subject to the >> >> value of the kernel.seccomp.actions_logged sysctl, even for processes >> >> that are being inspected via the audit subsystem, in an upcoming patch. >> >> Therefore, we need to emit an audit record on attempts at writing to the >> >> actions_logged sysctl when auditing is enabled. >> >> >> >> This patch updates the write handler for the actions_logged sysctl to >> >> emit an audit record on attempts to write to the sysctl. Successful >> >> writes to the sysctl will result in a record that includes a normalized >> >> list of logged actions in the "actions" field and a "res" field equal to >> >> 0. Unsuccessful writes to the sysctl will result in a record that >> >> doesn't include the "actions" field and has a "res" field equal to 1. >> >> >> >> Not all unsuccessful writes to the sysctl are audited. For example, an >> >> audit record will not be emitted if an unprivileged process attempts to >> >> open the sysctl file for reading since that access control check is not >> >> part of the sysctl's write handler. >> >> >> >> Below are some example audit records when writing various strings to the >> >> actions_logged sysctl. >> >> >> >> Writing "not-a-real-action", when the kernel.seccomp.actions_logged >> >> sysctl previously was "kill_process kill_thread trap errno trace log", >> >> >> >> emits this audit record: >> >> type=CONFIG_CHANGE msg=audit(1525275273.537:130): op=seccomp-logging >> >> old-actions=kill_process,kill_thread,trap,errno,trace,log res=0 >> >> >> >> If you then write "kill_process kill_thread errno trace log", this audit >> >> >> >> record is emitted: >> >> type=CONFIG_CHANGE msg=audit(1525275310.208:136): op=seccomp-logging >> >> actions=kill_process,kill_thread,errno,trace,log >> >> old-actions=kill_process,kill_thread,trap,errno,trace,log res=1 >> >> >> >> If you then write the string "log log errno trace kill_process >> >> kill_thread", which is unordered and contains the log action twice, >> >> >> >> it results in the same actions value as the previous record: >> >> type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging >> >> actions=kill_process,kill_thread,errno,trace,log >> >> old-actions=kill_process,kill_thread,errno,trace,log res=1 >> >> >> >> No audit records are generated when reading the actions_logged sysctl. >> > >> > ACK for the format of the records. >> >> I just wanted to clarify the record format with you Steve ... the >> "actions" and "old-actions" fields may not be included in the record >> in cases where there is an error building the action value string, are >> you okay with that or would you prefer the fields to always be >> included but with a "?" for the value? > > A ? would be more in line with how other things are handled. That's what I thought. Would you mind putting together a v3 Tyler? :) -- paul moore www.paul-moore.com