From: Steve Grubb <sgrubb@redhat.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: linux-audit@redhat.com, Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@redhat.com>, Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values
Date: Mon, 02 Jan 2017 13:49:11 -0500 [thread overview]
Message-ID: <1540151.sullFKCz8n@x2> (raw)
In-Reply-To: <20170102174246.GA17677@sec>
On Monday, January 2, 2017 5:42:47 PM EST Tyler Hicks wrote:
> On 2017-01-02 12:20:53, Steve Grubb wrote:
> > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> > > Generate audit records for SECCOMP_RET_ERRNO actions, which were
> > > previously not audited.
> > >
> > > Additionally, include the errno value that will be set in the audit
> > > message.
> > >
> > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> > > ---
> > >
> > > include/linux/audit.h | 19 ++++++++++++++++++-
> > > kernel/auditsc.c | 3 +++
> > > kernel/seccomp.c | 4 +++-
> > > 3 files changed, 24 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 8c588c3..6815812 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -87,7 +87,10 @@ struct audit_field {
> > >
> > > struct audit_seccomp_info {
> > >
> > > int code;
> > >
> > > - long signr;
> > > + union {
> > > + int errno;
> > > + long signr;
> > > + };
> > >
> > > };
> > >
> > > extern int is_audit_feature_set(int which);
> > >
> > > @@ -319,6 +322,20 @@ static inline void audit_inode_child(struct inode
> > > *parent, }
> > >
> > > void audit_core_dumps(long signr);
> > >
> > > +static inline void audit_seccomp_errno(unsigned long syscall, int
> > > errno,
> > > + int code)
> > > +{
> > > + if (!audit_enabled)
> > > + return;
> > > +
> > > + if (errno || unlikely(!audit_dummy_context())) {
> > > + struct audit_seccomp_info info = { .code = code,
> > > + .errno = errno };
> > > +
> > > + __audit_seccomp(syscall, &info);
> > > + }
> > > +}
> > > +
> > >
> > > static inline void audit_seccomp_signal(unsigned long syscall, long
> > > signr,
> > >
> > > int code)
> > >
> > > {
> > >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index b3472f2..db5fc9d 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -2426,6 +2426,9 @@ void __audit_seccomp(unsigned long syscall, struct
> > > audit_seccomp_info *info) audit_log_task(ab);
> > >
> > > switch (info->code) {
> > >
> > > + case SECCOMP_RET_ERRNO:
> > > + audit_log_format(ab, " errno=%d", info->errno);
> > > + break;
> >
> > "exit" is the field name that syscalls use to return errno to user space.
> > I'd rather not see another field created that maps to the same thing. You
> > can check
> > the translation with the auformat utility:
> Thanks for having a look at the field name I was using. Although I
> prefer "errno" over "exit" in terms of clarity, I agree that it makes
> sense to be consistent with the field names across record types. "exit"
> works for me.
>
> > http://people.redhat.com/sgrubb/files/auformat.tar.gz
> >
> > $ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat
> > "%EXIT\n"
> >
> > Also, I am working to normalize all the records. That mean every event
> > record of the same type has the same fields, in the same order, with the
> > same representation. I would think "exit" could be added to the current
> > record after syscall so that its ordered similarly to a syscall record.
>
> This patch goes against your normalization efforts in more ways than
> just the placement of the "exit" field. If the action is
> SECCOMP_RET_KILL, a "sig" field is present but if the action is
> SECCOMP_RET_ERRNO, the "sig" field will not be present but the "errno"
> field will be present. This happens all within the AUDIT_SECCOMP record
> type. How would you suggest normalizing AUDIT_SECCOMP records for
> different seccomp return actions?
Typically when the layout has to change, we just give it a new record type.
-Steve
> > > case SECCOMP_RET_KILL:
> > > audit_log_format(ab, " sig=%ld", info->signr);
> > > break;
> > >
> > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > > index 54c01b6..e99c566 100644
> > > --- a/kernel/seccomp.c
> > > +++ b/kernel/seccomp.c
> > > @@ -576,9 +576,11 @@ static int __seccomp_filter(int this_syscall, const
> > > struct seccomp_data *sd, /* Set low-order bits as an errno, capped at
> > > MAX_ERRNO. */
> > >
> > > if (data > MAX_ERRNO)
> > >
> > > data = MAX_ERRNO;
> > >
> > > +
> > > + audit_seccomp_errno(this_syscall, data, action);
> > >
> > > syscall_set_return_value(current, task_pt_regs(current),
> > >
> > > -data, 0);
> > >
> > > - goto skip;
> > > + return -1;
> > >
> > > case SECCOMP_RET_TRAP:
> > > /* Show the handler the original registers. */
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: Will Drewry <wad@chromium.org>,
linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
linux-audit@redhat.com
Subject: Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values
Date: Mon, 02 Jan 2017 13:49:11 -0500 [thread overview]
Message-ID: <1540151.sullFKCz8n@x2> (raw)
In-Reply-To: <20170102174246.GA17677@sec>
On Monday, January 2, 2017 5:42:47 PM EST Tyler Hicks wrote:
> On 2017-01-02 12:20:53, Steve Grubb wrote:
> > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> > > Generate audit records for SECCOMP_RET_ERRNO actions, which were
> > > previously not audited.
> > >
> > > Additionally, include the errno value that will be set in the audit
> > > message.
> > >
> > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> > > ---
> > >
> > > include/linux/audit.h | 19 ++++++++++++++++++-
> > > kernel/auditsc.c | 3 +++
> > > kernel/seccomp.c | 4 +++-
> > > 3 files changed, 24 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 8c588c3..6815812 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -87,7 +87,10 @@ struct audit_field {
> > >
> > > struct audit_seccomp_info {
> > >
> > > int code;
> > >
> > > - long signr;
> > > + union {
> > > + int errno;
> > > + long signr;
> > > + };
> > >
> > > };
> > >
> > > extern int is_audit_feature_set(int which);
> > >
> > > @@ -319,6 +322,20 @@ static inline void audit_inode_child(struct inode
> > > *parent, }
> > >
> > > void audit_core_dumps(long signr);
> > >
> > > +static inline void audit_seccomp_errno(unsigned long syscall, int
> > > errno,
> > > + int code)
> > > +{
> > > + if (!audit_enabled)
> > > + return;
> > > +
> > > + if (errno || unlikely(!audit_dummy_context())) {
> > > + struct audit_seccomp_info info = { .code = code,
> > > + .errno = errno };
> > > +
> > > + __audit_seccomp(syscall, &info);
> > > + }
> > > +}
> > > +
> > >
> > > static inline void audit_seccomp_signal(unsigned long syscall, long
> > > signr,
> > >
> > > int code)
> > >
> > > {
> > >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index b3472f2..db5fc9d 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -2426,6 +2426,9 @@ void __audit_seccomp(unsigned long syscall, struct
> > > audit_seccomp_info *info) audit_log_task(ab);
> > >
> > > switch (info->code) {
> > >
> > > + case SECCOMP_RET_ERRNO:
> > > + audit_log_format(ab, " errno=%d", info->errno);
> > > + break;
> >
> > "exit" is the field name that syscalls use to return errno to user space.
> > I'd rather not see another field created that maps to the same thing. You
> > can check
> > the translation with the auformat utility:
> Thanks for having a look at the field name I was using. Although I
> prefer "errno" over "exit" in terms of clarity, I agree that it makes
> sense to be consistent with the field names across record types. "exit"
> works for me.
>
> > http://people.redhat.com/sgrubb/files/auformat.tar.gz
> >
> > $ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat
> > "%EXIT\n"
> >
> > Also, I am working to normalize all the records. That mean every event
> > record of the same type has the same fields, in the same order, with the
> > same representation. I would think "exit" could be added to the current
> > record after syscall so that its ordered similarly to a syscall record.
>
> This patch goes against your normalization efforts in more ways than
> just the placement of the "exit" field. If the action is
> SECCOMP_RET_KILL, a "sig" field is present but if the action is
> SECCOMP_RET_ERRNO, the "sig" field will not be present but the "errno"
> field will be present. This happens all within the AUDIT_SECCOMP record
> type. How would you suggest normalizing AUDIT_SECCOMP records for
> different seccomp return actions?
Typically when the layout has to change, we just give it a new record type.
-Steve
> > > case SECCOMP_RET_KILL:
> > > audit_log_format(ab, " sig=%ld", info->signr);
> > > break;
> > >
> > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > > index 54c01b6..e99c566 100644
> > > --- a/kernel/seccomp.c
> > > +++ b/kernel/seccomp.c
> > > @@ -576,9 +576,11 @@ static int __seccomp_filter(int this_syscall, const
> > > struct seccomp_data *sd, /* Set low-order bits as an errno, capped at
> > > MAX_ERRNO. */
> > >
> > > if (data > MAX_ERRNO)
> > >
> > > data = MAX_ERRNO;
> > >
> > > +
> > > + audit_seccomp_errno(this_syscall, data, action);
> > >
> > > syscall_set_return_value(current, task_pt_regs(current),
> > >
> > > -data, 0);
> > >
> > > - goto skip;
> > > + return -1;
> > >
> > > case SECCOMP_RET_TRAP:
> > > /* Show the handler the original registers. */
next prev parent reply other threads:[~2017-01-02 18:49 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 16:53 [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Tyler Hicks
2017-01-02 16:53 ` [PATCH 1/2] seccomp: Allow for auditing functionality specific to " Tyler Hicks
2017-01-02 16:53 ` [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Tyler Hicks
2017-01-02 17:20 ` Steve Grubb
2017-01-02 17:20 ` Steve Grubb
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 18:49 ` Steve Grubb [this message]
2017-01-02 18:49 ` Steve Grubb
2017-01-02 22:55 ` Paul Moore
2017-01-02 22:47 ` [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Paul Moore
2017-01-03 5:56 ` Andy Lutomirski
2017-01-03 19:31 ` Paul Moore
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 19:42 ` Paul Moore
2017-01-03 19:42 ` Paul Moore
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:53 ` Steve Grubb
2017-01-03 20:54 ` Paul Moore
2017-01-03 20:54 ` Paul Moore
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:21 ` Kees Cook
2017-01-03 21:31 ` Paul Moore
2017-01-03 21:44 ` Kees Cook
2017-01-03 21:44 ` Kees Cook
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 6:31 ` Kees Cook
2017-01-04 2:04 ` Tyler Hicks
2017-01-03 5:57 ` Andy Lutomirski
2017-01-03 13:53 ` Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1540151.sullFKCz8n@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=paul@paul-moore.com \
--cc=tyhicks@canonical.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.