From: Steve Grubb <sgrubb@redhat.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Limiting SECCOMP audit events
Date: Fri, 15 Dec 2017 11:09:39 -0500 [thread overview]
Message-ID: <2178350.DaTGirQ7H8@x2> (raw)
In-Reply-To: <20171215154713.GA16170@sec>
On Friday, December 15, 2017 10:47:14 AM EST Tyler Hicks wrote:
> > Looks good to me but two things:
> >
> > * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> > have two functions anymore.
> >
> > * Are we sure about removing the audit_enabled check? People got pretty
> > upset when it wasn't there in the past.
>
> Do you have any references to the complaints so that we can understand
> them better? I remember being surprised by commit 96368701 adding the
> audit_enabled check (my fault for not watching the list closer) and
> having to revert it in Ubuntu with a distro patch.
>
>
> After sleeping on it for a night, I'm now unsure if the patch I sent in
> this thread is what you guys really want. I'll go back to talking in
> pseudocode. This is what we have in 4.14:
>
> if action == RET_ALLOW:
> do not log
> else if action == RET_KILL && RET_KILL in actions_logged:
> log
> else if action == RET_LOG && RET_LOG in actions_logged:
> log
> else if filter-requests-logging && action in actions_logged:
> log
> else if audit_enabled && process-is-being-audited:
> log
> else:
> do not log
>
> This is what the patch in this thread does:
>
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,5 @@
> log
> else if filter-requests-logging && action in actions_logged:
> log
> - else if audit_enabled && process-is-being-audited:
> - log
> else:
> do not log
>
> Instead of that change, now I'm wondering if this is what you really
> want:
>
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,8 @@
> log
> else if filter-requests-logging && action in actions_logged:
> log
> - else if audit_enabled && process-is-being-audited:
> + else if audit_enabled && process-is-being-audited &&
> + action in actions_logged:
> log
> else:
> do not log
>
> After refactoring the 'action in actions_logged' check, it would leave
> us with this:
>
> if action == RET_ALLOW:
> do not log
> else if action not in actions_logged:
> do not log
Yeah, this would let us drop the trap return. While errno can lead to a lot of
logging, in practice I just don't see them very often if ever.
-Steve
> else if action == RET_KILL:
> log
> else if action == RET_LOG:
> log
> else if filter-requests-logging:
> log
> else if audit_enabled && process-is-being-audited:
> log
> else:
> do not log
next prev parent reply other threads:[~2017-12-15 16:09 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 23:58 Limiting SECCOMP audit events Steve Grubb
2017-12-14 0:16 ` Kees Cook
2017-12-14 0:31 ` Steve Grubb
2017-12-14 1:43 ` Paul Moore
2017-12-14 3:30 ` Steve Grubb
2017-12-14 12:42 ` Paul Moore
2017-12-14 15:29 ` Steve Grubb
2017-12-14 15:04 ` Tyler Hicks
2017-12-14 15:19 ` Steve Grubb
2017-12-14 23:06 ` Tyler Hicks
2017-12-14 23:16 ` Kees Cook
2017-12-15 14:08 ` Paul Moore
2017-12-15 15:47 ` Tyler Hicks
2017-12-15 16:09 ` Steve Grubb [this message]
2017-12-15 20:54 ` Paul Moore
2017-12-15 16:02 ` Steve Grubb
2018-01-02 20:03 ` Steve Grubb
2018-01-03 2:52 ` Tyler Hicks
2018-01-03 14:25 ` Paul Moore
2018-04-17 22:54 ` Steve Grubb
2018-04-18 1:57 ` Paul Moore
2018-04-25 0:00 ` Tyler Hicks
2018-04-26 14:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2178350.DaTGirQ7H8@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.