Received: by 10.192.165.148 with SMTP id m20csp2418793imm;
        Sun, 6 May 2018 14:32:23 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq2bUzuc9Sl52CUrI9JVpwPES4Ql1YSaeeCR8/bycXDl+JVpzTXMLyXAlP4SFab90R13xwh
X-Received: by 2002:a63:6dc8:: with SMTP id i191-v6mr27557377pgc.291.1525642343661;
        Sun, 06 May 2018 14:32:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525642343; cv=none;
        d=google.com; s=arc-20160816;
        b=TBP690gUld2Wd27T/y1hPxBF7qqr6Y/1yjqF+QpjPiiV3jxRUQvZihR9w7cjURZopG
         lusd/X2jzp+nsTnGmIwzYQ1BBbhsuqtBwzAYkQ6HqPDKCItJ0lZqukxYY9/SZEbCoHK2
         bf2h2JIPDe/T27TQgiVAxi8MLdhk7d7S/78UrvSPMncIxmbqNlIY85ga4tZ9K+P0Hw3K
         n8u/vMBzomCcF+WxKGmfqOyPggaI0ecKSAR6Bfzxxn80rhUzMlZPJBlzUejhV40DzTSf
         UCorLYG6HRuk6FwMuwbEZTbTkvTTtmJeVIW4Lr8qLhaWCfUURm3GKmnVszi9jDLjWGWV
         Lexg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=;
        b=rA33ISyy28XqQgABU5Xi66YO0fAGwUNPdZDMhUgiLHpq5qryVf4veA5gIr2BMjfrjo
         kqPdkvOFrRaQpssUvz3zGhhLiI4ikB3Jb0EbmfeyiU9RsXn8HgyXiCtETv76lP0MB7Hh
         pTUtK7Hfhm9FDfJLQAu8ACWzG7VLqTgkQW73NwbY37L3oPOwu9Uur5GsoMhevpXag6Jx
         q4AZW5wlOinw2moDaW/aKN1lCDMRXd1hQV+1VyuxsOT2hQJ6lTTprz2J1+dPpAgm2tQl
         nzvUfdb1p2LpwrXmn97K0cNKpEf3H5RLs7IXO+wbHVSzrMG2jAtBTXqzQLl6LXVrqxJT
         TLzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=RP1Ng1gQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q6-v6si17072510pgp.258.2018.05.06.14.31.55;
        Sun, 06 May 2018 14:32:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=RP1Ng1gQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751887AbeEFVbp (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Sun, 6 May 2018 17:31:45 -0400
Received: from mail-lf0-f50.google.com ([209.85.215.50]:33940 "EHLO
        mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751834AbeEFVbn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 6 May 2018 17:31:43 -0400
Received: by mail-lf0-f50.google.com with SMTP id h4-v6so37822739lfc.1
        for <linux-kernel@vger.kernel.org>; Sun, 06 May 2018 14:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=;
        b=RP1Ng1gQARlWgXAeom3jh9O5O9wtYNjA9mPsLbBTGsNVbF5jO3p4HdGjD24g4XHoJN
         Qunbrq1B39ykc7Phe6XPTbklmAIxNysKgQtRCo1R2zJBhgyPJv4406hcYqxvGakcmp8+
         VAtus/VWjoSVB8FDEDmSwyvix2Ef8/Pt5FQEXSavsyUrm3vdUztoYN6M927539qQ90u2
         mF6iaYJiW14lU5+qo60rHnO5QRu+GSfFLpQ578W7ek0SPwAv5jbk4IBuR4dqgGF+vYLp
         cG3fHeAJwD44RUppSk4CL6a+XeuXcyPfDA8ZM+bzCF+Ab7nc8Q1MzlNBl0F76N1rfXiW
         gdhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=k9mY/ZBIB6QmoFoLPlnEGiPCF65alw46fi3QoASJNwI=;
        b=Uhe8057Sr02T0OfeFCpLfGj6Zt/gJfsNvlcOSjjB+f7JZGBYjs+b/DVIbNEVppa/nA
         VCWxbF5Wt5cUv9u9FdVmbEtmdNE3tRk+Asx+XmAOTHmXw00U+VaQ87ykjfyoZj+JNVfM
         6aKLTX+12f8ZzzsabwN6Fb88DJGPtr/vnw0+cWuTJ83lvifZFy0JuhJsVF4IMFKOda13
         TWxCRPDNpGaP9VfwKKPcjwd7R/qBs7CX7k/w0a1ltRbThFuBWy2PCWRm5DHnfuTnPGiB
         b0IHGXPAPqrgCusXde8888WXnO2//OdHTvsueG71fg7tukxWd3lp8t+pEviUT2e9QgIP
         yQSg==
X-Gm-Message-State: ALQs6tCRKsdhHHCFdUXBe1c401hlkvG8Fl8VCYiI7PNo76U9Wdl0kWqj
        VrAtc4PIyGY7sgO2uMfyguBR6LEVnDLaWNw6E1wz
X-Received: by 2002:a19:f505:: with SMTP id j5-v6mr21504512lfb.12.1525642301386;
 Sun, 06 May 2018 14:31:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:c78f:0:0:0:0:0 with HTTP; Sun, 6 May 2018 14:31:40 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <1525396095-27737-1-git-send-email-tyhicks@canonical.com>
References: <1525396095-27737-1-git-send-email-tyhicks@canonical.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Sun, 6 May 2018 17:31:40 -0400
Message-ID: <CAHC9VhQb46F0q4bbum9NMqi-spuDHaVDG7xSPDmOsWDP0RZ47g@mail.gmail.com>
Subject: Re: [PATCH v3 0/4] Better integrate seccomp logging and auditing
To:     Tyler Hicks <tyhicks@canonical.com>,
        Kees Cook <keescook@chromium.org>
Cc:     linux-kernel@vger.kernel.org,
        Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>, Eric Paris <eparis@redhat.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Jonathan Corbet <corbet@lwn.net>, linux-audit@redhat.com,
        linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, May 3, 2018 at 9:08 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> Seccomp received improved logging controls in v4.14. Applications can opt into
> logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
> SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
> They can also debug filter matching with the new SECCOMP_RET_LOG action.
> Administrators can prevent specific actions from being logged using the
> kernel.seccomp.actions_logged sysctl.
>
> However, one corner case intentionally wasn't addressed in those v4.14 changes.
> When a process is being inspected by the audit subsystem, seccomp's decision
> making for logging ignores the new controls and unconditionally logs every
> action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
> many existing applications don't intend to log handled actions due to them
> occurring very frequently. This amount of logging fills the audit logs without
> providing many benefits now that application authors have fine grained controls
> at their disposal.
>
> This patch set aligns the seccomp logging behavior for both audited and
> non-audited processes. It also emits an audit record, if auditing is enabled,
> when the kernel.seccomp.actions_logged sysctl is written to so that there's a
> paper trail when entire actions are quieted.
>
> Changes in v3:
> * Patch 3
>   - Never drop a field when emitting the audit record
>   - Use the value "?" for the actions field when an error occurred while
>     writing to the sysctl
>   - Use the value "?" for the actions and/or old-actions fields when a failure
>     to translate actions to names
>   - Use the value "(none)" for the actions and/or old-actions fields when no
>     actions are specified
>     + This is possible when writing an empty string to the sysctl
>   - Update the commit message to note the new values and give an example of
>     when an empty string is written
> * Patch 4
>   - Adjust the control flow of seccomp_log() to exit early if nothing should be
>     logged
>
> Changes in v2:
> * Patch 2
>   - New patch, allowing for a configurable separator between action names
> * Patch 3
>   - The value of the actions field in the audit record now uses a comma instead
>     of a space
>   - The value of the actions field in the audit record is no longer enclosed in
>     quotes
>   - audit_log_start() is called with the current processes' audit_context in
>     audit_seccomp_actions_logged()
>   - audit_seccomp_actions_logged() no longer records the pid, uid, auid, tty,
>     ses, task context, comm, or executable path
>   - The new and old value of seccomp_actions_logged is recorded in the
>     AUDIT_CONFIG_CHANGE record
>   - The value of the "res" field in the CONFIG_CHANGE audit record is corrected
>     (1 indicates success, 0 failure)
>   - Updated patch 3's commit message to reflect the updated audit record format
>     in the examples
> * Patch 4
>   - A function comment for audit_seccomp() was added to explain, among other
>     things, that event filtering is performed in seccomp_log()

Kees, are you still okay with v3?  Also, are you okay with these
patches going in via the audit tree, or would you prefer to take them
via seccomp?  I've got a slight preference for the audit tree myself,
but as I said before, as long as it hits Linus' tree I'm happy.

-- 
paul moore
www.paul-moore.com