On 01/02/2017 11:57 PM, Andy Lutomirski wrote: > On Mon, Jan 2, 2017 at 8:53 AM, Tyler Hicks wrote: >> This patch set creates the basis for auditing information specific to a given >> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return >> actions. The audit messages for SECCOMP_RET_ERRNO return actions include the >> errno value that will be returned to userspace. >> > > Not that I'm opposed to the idea, but what's the intended purpose? Ubuntu has a security sandbox, which includes seccomp as a part of the confinement strategy, that we're using to confine untrusted third-party applications. Today, we're using SECCOMP_RET_KILL as the default action when the applications make a call to a syscall that is not allowed by the sandbox. It is great from a security perspective but not so great from the perspective of the application developer as their application (or in some cases, an interpretor) may work fine without the illegal syscall but it doesn't get the chance to because it is killed. In the near future, we want to switch over to using SECCOMP_RET_ERRNO (the errno is still TBD) as the default action to improve the application developer experience. The largest remaining blocker is that there are no audit messages when a SECCOMP_RET_ERRNO action is taken. Therefore, we can't suggest (to the application developer or to the user) which sandbox knobs need to be turned to better suite their application, we can't let the application developer know that a syscall they're using is illegal outside of them having to debug an odd errno value, and we can't let the user know of a potentially subverted process that's under confinement of the sandbox. All of that could be addressed if SECCOMP_RET_ERRNO actions generated audit messages. I hope that helps to understand the use case. Tyler