Received: by 10.192.165.148 with SMTP id m20csp2496926imm; Sun, 6 May 2018 16:37:20 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr+03ON2Y2aEkB5jSt/vm0eBbyCYFzP+e3XkivRhZZ+HeV2LNqYzCpSt41n++rkaxA5/JJh X-Received: by 2002:a63:bd1a:: with SMTP id a26-v6mr28816652pgf.157.1525649840623; Sun, 06 May 2018 16:37:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525649840; cv=none; d=google.com; s=arc-20160816; b=rCUSySD3/b28s7D2owv+FvURsumCo8LOKUmXDz7nmXkA2qZ6JHHpFTaCAiwb2Zrg2t fPL4sLfnIoU5SpkIkbEYOC9JxeCxTOLPyav+kSI/sLWtVdU2rcQ+gGzTTc6wGO+pvRrl TZQyNvq++uhWQxp4NnNfJe55Qw9vY8r+chfJRYJbG1d1o4Ut3PW03L0STvwJXVSToj+f 5Eny4US+01JSRMkuiangtkULmh0Io6gZeJMPAgh2ZDkxOaeWubjx0HccxQM3/8MEwLGA An6TeiSrKMgljzmNF/+KJYX43m+nOt1NKGDpdJmdWWSDiwn+kQveMt6s6AoiX1pzh1Wu NmSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=3g24nUFfMMJvYWdgTZcKYAZO2lxxIdQtPVBAe3/7A6M=; b=nI3rqmeLTAMgVKchZ2Uhg6LW3zleVBu8oj1nttr0uc6pvoT4BJXStZKSutijfFPCHc +gZ9btBdqLoOS5NqYuPbM3QLqpTaNBTc9NVTvJViXkfHj4AXSzugIXCV6EsgKHCdcMbx 68q4aeiyd8eiYAubyGT8MRKKHdP1SRB3Ix1ECL/qbY3qmYZVWbOT5zap/0tGGQTb17go XOAvE+uuLDfk1Frv+Z7Y3bHnQVLss5/Ids+tGP1MSuF8yQIlF3rDL8rKPr03DedsMl9u D8JHgT1FMjXgBJsQKK9rj/zGhuWmmdvSQi1l/Z36KCkzEtmrJxR8EZaU0F5krHmCbCk7 3/HA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=X1T8gVA9; dkim=fail header.i=@chromium.org header.s=google header.b=X+L7yOtA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12-v6si16779224pgq.154.2018.05.06.16.37.04; Sun, 06 May 2018 16:37:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=X1T8gVA9; dkim=fail header.i=@chromium.org header.s=google header.b=X+L7yOtA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751903AbeEFXgw (ORCPT + 99 others); Sun, 6 May 2018 19:36:52 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:45312 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751625AbeEFXgu (ORCPT ); Sun, 6 May 2018 19:36:50 -0400 Received: by mail-ua0-f193.google.com with SMTP id j5so17275663uak.12 for ; Sun, 06 May 2018 16:36:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=3g24nUFfMMJvYWdgTZcKYAZO2lxxIdQtPVBAe3/7A6M=; b=X1T8gVA9EDI+kiRf456ZhCxzsgRWn9JO+VIeS69PEDvVvkLvPHpx6KlzwLXGgJmaVx gzaDY06GI+kGQfEDSn7IKgWVIHDgS7DdZzURRbovowg1zkLJ9zWuitO97ddCaSOrxV+b 8siLOnEofV7dkyNlXLSJVo8PPfEI2BLmWtcb04ga0e31k4Y9fxJhEjfxgYvRqVwUBGXF Ex1GCNNQ7p8anSm/ibsv60PSEG8dew3gDXjglsqwu8khKC4fFYVb8mwz/hnJqByZGjJ+ WtUXKcrkRptzl9gWZFUPQz/hwnad9taEqEDMJVEdYOYPFUTNfHwJ06Y0tbl6S5cYx5zD DLDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=3g24nUFfMMJvYWdgTZcKYAZO2lxxIdQtPVBAe3/7A6M=; b=X+L7yOtAGfmMhVPDx838A3qCVXY/eIqfsrhzci5skOyPpTnuwOlWiSgh0GK7PzwtP5 kL5dJY1VH10TmcpD6YDybof9dSo9MwQbwCCq9/b6m2qI0qVKAtyfyJRXSyDX1EatjxFv IPAc07b94jTXFKAmuCYmcAwF1GGFU7/25x/3M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=3g24nUFfMMJvYWdgTZcKYAZO2lxxIdQtPVBAe3/7A6M=; b=JheD2HBJguO7a3fknajdIvnzVCPUCdtLPD/3DhQpCD+Vj0qSzyuVvYCcg/ocDwkXJs lSeXsf+H1A3vVu1GVakxl5mw6IKBbj8DlXs7kd/5Ch5xJxuhYG4ENdcFDKheddYxPv4B 59AunrLqEhhQdpdAZMeKoxtm9YELmHm1UVsZ6KfeQMyTHISH5iodmgNkXOkQ1eelrl9e fLWBZ0cD4hu/RhJNqBiaRvo38e8huMQgwAH9lAFOqWgT+za87zCWYvY0WwuiRz1LHtj4 H1fiqJBLWjJMhuBn3auugbHqS3zb2S9tstRzVNE8MJv8DPPIeYm519ZIDXhs8LvNWURH LxMg== X-Gm-Message-State: ALQs6tA+z22MLwoZ5nb2dwmApaNmhDr4Xkx//AQ69FgwuYgrHGaOrGnI abvvaWypm8ZviFTZwofKcCz/MRQVAcu+LsTTWQ092Tdw X-Received: by 10.159.40.35 with SMTP id c32mr32102753uac.193.1525649809591; Sun, 06 May 2018 16:36:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Sun, 6 May 2018 16:36:48 -0700 (PDT) In-Reply-To: References: <1525396095-27737-1-git-send-email-tyhicks@canonical.com> From: Kees Cook Date: Sun, 6 May 2018 16:36:48 -0700 X-Google-Sender-Auth: z478aClRDNeZoRkqrdo54EPi8qE Message-ID: Subject: Re: [PATCH v3 0/4] Better integrate seccomp logging and auditing To: Paul Moore Cc: Tyler Hicks , LKML , Andy Lutomirski , Will Drewry , Eric Paris , Steve Grubb , Jonathan Corbet , Linux Audit , linux-security-module , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, May 6, 2018 at 2:31 PM, Paul Moore wrote: > On Thu, May 3, 2018 at 9:08 PM, Tyler Hicks wrote: >> Seccomp received improved logging controls in v4.14. Applications can opt into >> logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, >> SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. >> They can also debug filter matching with the new SECCOMP_RET_LOG action. >> Administrators can prevent specific actions from being logged using the >> kernel.seccomp.actions_logged sysctl. >> >> However, one corner case intentionally wasn't addressed in those v4.14 changes. >> When a process is being inspected by the audit subsystem, seccomp's decision >> making for logging ignores the new controls and unconditionally logs every >> action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since >> many existing applications don't intend to log handled actions due to them >> occurring very frequently. This amount of logging fills the audit logs without >> providing many benefits now that application authors have fine grained controls >> at their disposal. >> >> This patch set aligns the seccomp logging behavior for both audited and >> non-audited processes. It also emits an audit record, if auditing is enabled, >> when the kernel.seccomp.actions_logged sysctl is written to so that there's a >> paper trail when entire actions are quieted. >> >> Changes in v3: >> * Patch 3 >> - Never drop a field when emitting the audit record >> - Use the value "?" for the actions field when an error occurred while >> writing to the sysctl >> - Use the value "?" for the actions and/or old-actions fields when a failure >> to translate actions to names >> - Use the value "(none)" for the actions and/or old-actions fields when no >> actions are specified >> + This is possible when writing an empty string to the sysctl >> - Update the commit message to note the new values and give an example of >> when an empty string is written >> * Patch 4 >> - Adjust the control flow of seccomp_log() to exit early if nothing should be >> logged >> >> Changes in v2: >> * Patch 2 >> - New patch, allowing for a configurable separator between action names >> * Patch 3 >> - The value of the actions field in the audit record now uses a comma instead >> of a space >> - The value of the actions field in the audit record is no longer enclosed in >> quotes >> - audit_log_start() is called with the current processes' audit_context in >> audit_seccomp_actions_logged() >> - audit_seccomp_actions_logged() no longer records the pid, uid, auid, tty, >> ses, task context, comm, or executable path >> - The new and old value of seccomp_actions_logged is recorded in the >> AUDIT_CONFIG_CHANGE record >> - The value of the "res" field in the CONFIG_CHANGE audit record is corrected >> (1 indicates success, 0 failure) >> - Updated patch 3's commit message to reflect the updated audit record format >> in the examples >> * Patch 4 >> - A function comment for audit_seccomp() was added to explain, among other >> things, that event filtering is performed in seccomp_log() > > Kees, are you still okay with v3? Also, are you okay with these > patches going in via the audit tree, or would you prefer to take them > via seccomp? I've got a slight preference for the audit tree myself, > but as I said before, as long as it hits Linus' tree I'm happy. Yup, it looks good. I have no tree preference, so you win! :) Please consider the whole series: Acked-by: Kees Cook -Kees -- Kees Cook Pixel Security