Received: by 10.192.165.148 with SMTP id m20csp2418793imm; Sun, 6 May 2018 14:32:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq2bUzuc9Sl52CUrI9JVpwPES4Ql1YSaeeCR8/bycXDl+JVpzTXMLyXAlP4SFab90R13xwh X-Received: by 2002:a63:6dc8:: with SMTP id i191-v6mr27557377pgc.291.1525642343661; Sun, 06 May 2018 14:32:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525642343; cv=none; d=google.com; s=arc-20160816; b=TBP690gUld2Wd27T/y1hPxBF7qqr6Y/1yjqF+QpjPiiV3jxRUQvZihR9w7cjURZopG lusd/X2jzp+nsTnGmIwzYQ1BBbhsuqtBwzAYkQ6HqPDKCItJ0lZqukxYY9/SZEbCoHK2 bf2h2JIPDe/T27TQgiVAxi8MLdhk7d7S/78UrvSPMncIxmbqNlIY85ga4tZ9K+P0Hw3K n8u/vMBzomCcF+WxKGmfqOyPggaI0ecKSAR6Bfzxxn80rhUzMlZPJBlzUejhV40DzTSf UCorLYG6HRuk6FwMuwbEZTbTkvTTtmJeVIW4Lr8qLhaWCfUURm3GKmnVszi9jDLjWGWV Lexg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=; b=rA33ISyy28XqQgABU5Xi66YO0fAGwUNPdZDMhUgiLHpq5qryVf4veA5gIr2BMjfrjo kqPdkvOFrRaQpssUvz3zGhhLiI4ikB3Jb0EbmfeyiU9RsXn8HgyXiCtETv76lP0MB7Hh pTUtK7Hfhm9FDfJLQAu8ACWzG7VLqTgkQW73NwbY37L3oPOwu9Uur5GsoMhevpXag6Jx q4AZW5wlOinw2moDaW/aKN1lCDMRXd1hQV+1VyuxsOT2hQJ6lTTprz2J1+dPpAgm2tQl nzvUfdb1p2LpwrXmn97K0cNKpEf3H5RLs7IXO+wbHVSzrMG2jAtBTXqzQLl6LXVrqxJT TLzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=RP1Ng1gQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6-v6si17072510pgp.258.2018.05.06.14.31.55; Sun, 06 May 2018 14:32:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=RP1Ng1gQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751887AbeEFVbp (ORCPT + 99 others); Sun, 6 May 2018 17:31:45 -0400 Received: from mail-lf0-f50.google.com ([209.85.215.50]:33940 "EHLO mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751834AbeEFVbn (ORCPT ); Sun, 6 May 2018 17:31:43 -0400 Received: by mail-lf0-f50.google.com with SMTP id h4-v6so37822739lfc.1 for ; Sun, 06 May 2018 14:31:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=; b=RP1Ng1gQARlWgXAeom3jh9O5O9wtYNjA9mPsLbBTGsNVbF5jO3p4HdGjD24g4XHoJN Qunbrq1B39ykc7Phe6XPTbklmAIxNysKgQtRCo1R2zJBhgyPJv4406hcYqxvGakcmp8+ VAtus/VWjoSVB8FDEDmSwyvix2Ef8/Pt5FQEXSavsyUrm3vdUztoYN6M927539qQ90u2 mF6iaYJiW14lU5+qo60rHnO5QRu+GSfFLpQ578W7ek0SPwAv5jbk4IBuR4dqgGF+vYLp cG3fHeAJwD44RUppSk4CL6a+XeuXcyPfDA8ZM+bzCF+Ab7nc8Q1MzlNBl0F76N1rfXiW gdhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=; b=Uhe8057Sr02T0OfeFCpLfGj6Zt/gJfsNvlcOSjjB+f7JZGBYjs+b/DVIbNEVppa/nA VCWxbF5Wt5cUv9u9FdVmbEtmdNE3tRk+Asx+XmAOTHmXw00U+VaQ87ykjfyoZj+JNVfM 6aKLTX+12f8ZzzsabwN6Fb88DJGPtr/vnw0+cWuTJ83lvifZFy0JuhJsVF4IMFKOda13 TWxCRPDNpGaP9VfwKKPcjwd7R/qBs7CX7k/w0a1ltRbThFuBWy2PCWRm5DHnfuTnPGiB b0IHGXPAPqrgCusXde8888WXnO2//OdHTvsueG71fg7tukxWd3lp8t+pEviUT2e9QgIP yQSg== X-Gm-Message-State: ALQs6tCRKsdhHHCFdUXBe1c401hlkvG8Fl8VCYiI7PNo76U9Wdl0kWqj VrAtc4PIyGY7sgO2uMfyguBR6LEVnDLaWNw6E1wz X-Received: by 2002:a19:f505:: with SMTP id j5-v6mr21504512lfb.12.1525642301386; Sun, 06 May 2018 14:31:41 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:c78f:0:0:0:0:0 with HTTP; Sun, 6 May 2018 14:31:40 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <1525396095-27737-1-git-send-email-tyhicks@canonical.com> References: <1525396095-27737-1-git-send-email-tyhicks@canonical.com> From: Paul Moore Date: Sun, 6 May 2018 17:31:40 -0400 Message-ID: Subject: Re: [PATCH v3 0/4] Better integrate seccomp logging and auditing To: Tyler Hicks , Kees Cook Cc: linux-kernel@vger.kernel.org, Andy Lutomirski , Will Drewry , Eric Paris , Steve Grubb , Jonathan Corbet , linux-audit@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 3, 2018 at 9:08 PM, Tyler Hicks wrote: > Seccomp received improved logging controls in v4.14. Applications can opt into > logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, > SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. > They can also debug filter matching with the new SECCOMP_RET_LOG action. > Administrators can prevent specific actions from being logged using the > kernel.seccomp.actions_logged sysctl. > > However, one corner case intentionally wasn't addressed in those v4.14 changes. > When a process is being inspected by the audit subsystem, seccomp's decision > making for logging ignores the new controls and unconditionally logs every > action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since > many existing applications don't intend to log handled actions due to them > occurring very frequently. This amount of logging fills the audit logs without > providing many benefits now that application authors have fine grained controls > at their disposal. > > This patch set aligns the seccomp logging behavior for both audited and > non-audited processes. It also emits an audit record, if auditing is enabled, > when the kernel.seccomp.actions_logged sysctl is written to so that there's a > paper trail when entire actions are quieted. > > Changes in v3: > * Patch 3 > - Never drop a field when emitting the audit record > - Use the value "?" for the actions field when an error occurred while > writing to the sysctl > - Use the value "?" for the actions and/or old-actions fields when a failure > to translate actions to names > - Use the value "(none)" for the actions and/or old-actions fields when no > actions are specified > + This is possible when writing an empty string to the sysctl > - Update the commit message to note the new values and give an example of > when an empty string is written > * Patch 4 > - Adjust the control flow of seccomp_log() to exit early if nothing should be > logged > > Changes in v2: > * Patch 2 > - New patch, allowing for a configurable separator between action names > * Patch 3 > - The value of the actions field in the audit record now uses a comma instead > of a space > - The value of the actions field in the audit record is no longer enclosed in > quotes > - audit_log_start() is called with the current processes' audit_context in > audit_seccomp_actions_logged() > - audit_seccomp_actions_logged() no longer records the pid, uid, auid, tty, > ses, task context, comm, or executable path > - The new and old value of seccomp_actions_logged is recorded in the > AUDIT_CONFIG_CHANGE record > - The value of the "res" field in the CONFIG_CHANGE audit record is corrected > (1 indicates success, 0 failure) > - Updated patch 3's commit message to reflect the updated audit record format > in the examples > * Patch 4 > - A function comment for audit_seccomp() was added to explain, among other > things, that event filtering is performed in seccomp_log() Kees, are you still okay with v3? Also, are you okay with these patches going in via the audit tree, or would you prefer to take them via seccomp? I've got a slight preference for the audit tree myself, but as I said before, as long as it hits Linus' tree I'm happy. -- paul moore www.paul-moore.com