Limiting SECCOMP audit events

Limiting SECCOMP audit events

[Steve Grubb]

[-- Attachment #1.1: Type: text/plain, Size: 578 bytes --]

Hello,

Over the last month, the amount of seccomp events in audit logs is sky-rocketing. I 
have over a million events in the last 2 days. Most of this is generated by firefox and 
qt webkit.

I am wondering if the audit package should ship a file for

/usr/lib/sysctl.d/60-auditd.conf

wherein it has

kernel.seccomp.actions_logged = kill_process kill_thread errno

Also, has anyone verified this sysctl is filtering audit events? Even with the above, I 
have over a million events on a 4.14.3 kernel. Firefox alone is generating over 
50,000 events per hour.

Thanks,
-Steve

[-- Attachment #1.2: Type: text/html, Size: 3250 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Kees Cook]

On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> Over the last month, the amount of seccomp events in audit logs is
> sky-rocketing. I have over a million events in the last 2 days. Most of this
> is generated by firefox and qt webkit.
>
> I am wondering if the audit package should ship a file for
>
> /usr/lib/sysctl.d/60-auditd.conf
>
> wherein it has
>
> kernel.seccomp.actions_logged = kill_process kill_thread errno
>
> Also, has anyone verified this sysctl is filtering audit events? Even with
> the above, I have over a million events on a 4.14.3 kernel. Firefox alone is
> generating over 50,000 events per hour.

I don't think you'd want to log errno -- AIUI, that's used regularly
by a lot of seccomp policy.

-Kees

-- 
Kees Cook
Pixel Security

Re: Limiting SECCOMP audit events

[Steve Grubb]

[-- Attachment #1.1: Type: text/plain, Size: 2038 bytes --]

On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> > 
> > Over the last month, the amount of seccomp events in audit logs is
> > sky-rocketing. I have over a million events in the last 2 days. Most of
> > this is generated by firefox and qt webkit.
> > 
> > I am wondering if the audit package should ship a file for
> > 
> > /usr/lib/sysctl.d/60-auditd.conf
> > 
> > wherein it has
> > 
> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> > 
> > Also, has anyone verified this sysctl is filtering audit events? Even with
> > the above, I have over a million events on a 4.14.3 kernel. Firefox alone
> > is generating over 50,000 events per hour.
> 
> I don't think you'd want to log errno -- AIUI, that's used regularly
> by a lot of seccomp policy.

I'm not seeing any reporting errno. The ones reporting trap are coming in over 
50,000 per hour. I don't think the filter is working.

[root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged
kill_process kill_thread errno
[root@x2 ~]# date
Wed Dec 13 19:24:40 EST 2017
[root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event --
summary -i

Event Summary Report
======================
total  type
======================
170  SECCOMP

In the time it took to type the command 170 seccomp events were recorded from 
firefox.

[root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i
----
node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : 
auid=sgrubb uid=sgrubb gid=sgrubb ses=3 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 
comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 
syscall=stat compat=0 ip=0x7f909c828635 code=trap 

^^ trap.  With the sheer amount of events being recorded, I think it's necessary to 
add a sysctl file to systems to suppress the logging. Especially when you consider 
that systemd-journal also gratuitously grabs audit logs and sends them to rsyslog.

-Steve

[-- Attachment #1.2: Type: text/html, Size: 9055 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Paul Moore]

On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
>> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > Hello,
>> >
>> > Over the last month, the amount of seccomp events in audit logs is
>> > sky-rocketing. I have over a million events in the last 2 days. Most of
>> > this is generated by firefox and qt webkit.
>> >
>> > I am wondering if the audit package should ship a file for
>> >
>> > /usr/lib/sysctl.d/60-auditd.conf
>> >
>> > wherein it has
>> >
>> > kernel.seccomp.actions_logged = kill_process kill_thread errno
>> >
>> > Also, has anyone verified this sysctl is filtering audit events? Even
>> > with
>> > the above, I have over a million events on a 4.14.3 kernel. Firefox
>> > alone
>> > is generating over 50,000 events per hour.
>>
>> I don't think you'd want to log errno -- AIUI, that's used regularly
>> by a lot of seccomp policy.
>
> I'm not seeing any reporting errno. The ones reporting trap are coming in
> over 50,000 per hour. I don't think the filter is working.
>
> [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged
> kill_process kill_thread errno
> [root@x2 ~]# date
> Wed Dec 13 19:24:40 EST 2017
> [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event
> --summary -i
> Event Summary Report
> ======================
> total type
> ======================
> 170 SECCOMP
>
> In the time it took to type the command 170 seccomp events were recorded
> from firefox.
>
> [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i
> ----
> node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) : auid=sgrubb
> uid=sgrubb gid=sgrubb ses=3
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394 comm=Web
> Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64 syscall=stat
> compat=0 ip=0x7f909c828635 code=trap
> ^^ trap. With the sheer amount of events being recorded, I think it's
> necessary to add a sysctl file to systems to suppress the logging.
> Especially when you consider that systemd-journal also gratuitously grabs
> audit logs and sends them to rsyslog.

Looking at the kernel code, it looks like the actions_logged knob
isn't really intended to filter/drop seccomp events, but rather force
seccomp events to be loggged.  Look at seccomp_log() to see what I
mean; there is still a call to audit_seccomp() at the end.

-- 
paul moore
www.paul-moore.com

Re: Limiting SECCOMP audit events

[Steve Grubb]

[-- Attachment #1.1: Type: text/plain, Size: 3220 bytes --]

On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote:
> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >> > Hello,
> >> > 
> >> > Over the last month, the amount of seccomp events in audit logs is
> >> > sky-rocketing. I have over a million events in the last 2 days. Most of
> >> > this is generated by firefox and qt webkit.
> >> > 
> >> > I am wondering if the audit package should ship a file for
> >> > 
> >> > /usr/lib/sysctl.d/60-auditd.conf
> >> > 
> >> > wherein it has
> >> > 
> >> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> >> > 
> >> > Also, has anyone verified this sysctl is filtering audit events? Even
> >> > with
> >> > the above, I have over a million events on a 4.14.3 kernel. Firefox
> >> > alone
> >> > is generating over 50,000 events per hour.
> >> 
> >> I don't think you'd want to log errno -- AIUI, that's used regularly
> >> by a lot of seccomp policy.
> > 
> > I'm not seeing any reporting errno. The ones reporting trap are coming in
> > over 50,000 per hour. I don't think the filter is working.
> > 
> > [root@x2 ~]# cat /proc/sys/kernel/seccomp/actions_logged
> > kill_process kill_thread errno
> > [root@x2 ~]# date
> > Wed Dec 13 19:24:40 EST 2017
> > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --raw | aureport --event
> > --summary -i
> > Event Summary Report
> > ======================
> > total type
> > ======================
> > 170 SECCOMP
> > 
> > In the time it took to type the command 170 seccomp events were recorded
> > from firefox.
> > 
> > [root@x2 ~]# ausearch --start 19:24:40 -m seccomp --just-one -i
> > ----
> > node=x2 type=SECCOMP msg=audit(12/13/2017 19:24:56.454:199666) :
> > auid=sgrubb uid=sgrubb gid=sgrubb ses=3
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3394
> > comm=Web Content exe=/usr/lib64/firefox/firefox sig=SIG0 arch=x86_64
> > syscall=stat compat=0 ip=0x7f909c828635 code=trap
> > ^^ trap. With the sheer amount of events being recorded, I think it's
> > necessary to add a sysctl file to systems to suppress the logging.
> > Especially when you consider that systemd-journal also gratuitously grabs
> > audit logs and sends them to rsyslog.
> 
> Looking at the kernel code, it looks like the actions_logged knob
> isn't really intended to filter/drop seccomp events,

That's unfortunate. I thought this was a way to suppress generation of events. We 
have a requirement that audit events be selective by the administrator. We need a 
knob to drop some events. I guess, the only knob right now is the exclude filter. 
That is probably too course.

> but rather force seccomp events to be loggged.  Look at seccomp_log() to see
> what I mean; there is still a call to audit_seccomp() at the end.

Hmm. What do we do? I have more than a million seccomp events in 2 days. I'm 
getting 14 events a second for seccomp just using my system. It's flooding 
everything. I mean maybe the firefox and webkit people meant well using seccomp, 
but how does a normal user get control back of their logs?

Thanks,
-Steve

[-- Attachment #1.2: Type: text/html, Size: 13801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Paul Moore]

On Wed, Dec 13, 2017 at 10:30 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, December 13, 2017 8:43:38 PM EST Paul Moore wrote:
>> On Wed, Dec 13, 2017 at 7:31 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > On Wednesday, December 13, 2017 7:16:47 PM EST Kees Cook wrote:
>> >> On Wed, Dec 13, 2017 at 3:58 PM, Steve Grubb <sgrubb@redhat.com> wrote:

...

>> Looking at the kernel code, it looks like the actions_logged knob
>> isn't really intended to filter/drop seccomp events,
>
> That's unfortunate. I thought this was a way to suppress generation of
> events. We have a requirement that audit events be selective by the
> administrator. We need a knob to drop some events. I guess, the only knob
> right now is the exclude filter. That is probably too course.
>
>> but rather force seccomp events to be loggged. Look at seccomp_log() to
>> see what I mean; there is still a call to audit_seccomp() at the end.
>
> Hmm. What do we do?

I imagine we could put together a rather coarse grained action filter,
similar to what we have with "actions_logged" (maybe
"actions_silent"?), and perhaps add some additional audit filters for
seccomp for those who happen to have audit enabled.  Both should be
relatively easy, the "actions_silent" field especially so.

-- 
paul moore
www.paul-moore.com

Re: Limiting SECCOMP audit events

[Steve Grubb]

[-- Attachment #1.1: Type: text/plain, Size: 1343 bytes --]

On Thursday, December 14, 2017 7:42:26 AM EST Paul Moore wrote:
> >> Looking at the kernel code, it looks like the actions_logged knob
> >> isn't really intended to filter/drop seccomp events,
> > 
> > That's unfortunate. I thought this was a way to suppress generation of
> > events. We have a requirement that audit events be selective by the
> > administrator. We need a knob to drop some events. I guess, the only knob
> > right now is the exclude filter. That is probably too course.
> > 
> >> but rather force seccomp events to be loggged. Look at seccomp_log() to
> >> see what I mean; there is still a call to audit_seccomp() at the end.
> > 
> > Hmm. What do we do?
> 
> I imagine we could put together a rather coarse grained action filter,
> similar to what we have with "actions_logged" (maybe
> "actions_silent"?), and perhaps add some additional audit filters for
> seccomp for those who happen to have audit enabled.  Both should be
> relatively easy, the "actions_silent" field especially so.

OK. That would be helpful. This is eating up my log space. The biggest offenders 
seem to be doing trap kind of events. I suppose if an errno was returned the 
program would respond by erroring out. But since its a trap, I suspect something 
looks around at data and then OK's it to proceed on which results in another trap.

-Steve

[-- Attachment #1.2: Type: text/html, Size: 5065 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Tyler Hicks]

[-- Attachment #1.1.1: Type: text/plain, Size: 1171 bytes --]

On 12/13/2017 05:58 PM, Steve Grubb wrote:
> Hello,
> 
>  
> 
> Over the last month, the amount of seccomp events in audit logs is
> sky-rocketing. I have over a million events in the last 2 days. Most of
> this is generated by firefox and qt webkit.
> 
>  
> 
> I am wondering if the audit package should ship a file for
> 
>  
> 
> /usr/lib/sysctl.d/60-auditd.conf
> 
>  
> 
> wherein it has
> 
>  
> 
> kernel.seccomp.actions_logged = kill_process kill_thread errno

I agree with Kees here. IMO, you only want "kill_process kill_thread"
which is the default.

> Also, has anyone verified this sysctl is filtering audit events? Even
> with the above, I have over a million events on a 4.14.3 kernel. Firefox
> alone is generating over 50,000 events per hour.

Yes. I tested it a lot as the changes were being upstreamed and again
when I backported the changes to Ubuntu releases 17.10, 17.04, and 16.04
LTS. Those kernels have been released for a month and a half now and I
haven't heard of any issues.

I'll install a Fedora VM and see if I can determine what's happening.

Tyler

> 
>  
> 
> Thanks,
> 
> -Steve
> 



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Steve Grubb]

[-- Attachment #1.1: Type: text/plain, Size: 1874 bytes --]

On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> > Over the last month, the amount of seccomp events in audit logs is
> > sky-rocketing. I have over a million events in the last 2 days. Most of
> > this is generated by firefox and qt webkit.
> > 
> > I am wondering if the audit package should ship a file for
> > 
> > /usr/lib/sysctl.d/60-auditd.conf
> > 
> > wherein it has
> > 
> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> 
> I agree with Kees here. IMO, you only want "kill_process kill_thread"
> which is the default.

The default appears to be all of the types of events without setting  
kernel.seccomp.actions_logged.

> > Also, has anyone verified this sysctl is filtering audit events? Even
> > with the above, I have over a million events on a 4.14.3 kernel. Firefox
> > alone is generating over 50,000 events per hour.
> 
> Yes. I tested it a lot as the changes were being upstreamed and again
> when I backported the changes to Ubuntu releases 17.10, 17.04, and 16.04
> LTS. Those kernels have been released for a month and a half now and I
> haven't heard of any issues.

Apparently I misunderstood this as a filter for audit events to be blocked.

> I'll install a Fedora VM and see if I can determine what's happening.

I'm testing on F27 if that matters. It would appear to me that seccomp filtering is 
becoming more used and is now dominating the events going into the audit logs.

# uptime
 10:17:34 up  1:27,  1 user,  load average: 0.23, 0.39, 0.53

[root@x2 ~]# ausearch --start today --raw | aureport --event --summary -i

Event Summary Report
======================
total  type
======================
35561  SECCOMP
1041  SYSCALL
134  SERVICE_START
75  NETFILTER_CFG
46  SERVICE_STOP
46  CONFIG_CHANGE
24  AVC

All of the seccomp events are trap types.

-Steve

[-- Attachment #1.2: Type: text/html, Size: 10072 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Tyler Hicks]

On 12/14/2017 09:19 AM, Steve Grubb wrote:
> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> 
>> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> 
>> > Over the last month, the amount of seccomp events in audit logs is
> 
>> > sky-rocketing. I have over a million events in the last 2 days. Most of
> 
>> > this is generated by firefox and qt webkit.
> 
>> >
> 
>> > I am wondering if the audit package should ship a file for
> 
>> >
> 
>> > /usr/lib/sysctl.d/60-auditd.conf
> 
>> >
> 
>> > wherein it has
> 
>> >
> 
>> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> 
>>
> 
>> I agree with Kees here. IMO, you only want "kill_process kill_thread"
> 
>> which is the default.
> 
>  
> 
> The default appears to be all of the types of events without setting
> kernel.seccomp.actions_logged.

Ah, right. I didn't correctly remember the final implementation details.
The default sysctl setting is to allow all actions except for RET_ALLOW
to be logged.

I think the easiest description of the logic is in the commit message of
59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:

    if action == RET_ALLOW:
      do not log
    else if action == RET_KILL && RET_KILL in actions_logged:
      log
    else if action == RET_LOG && RET_LOG in actions_logged:
      log
    else if filter-requests-logging && action in actions_logged:
      log
    else if audit_enabled && process-is-being-audited:
      log
    else:
      do not log

I think I originally misunderstood your first email in this thread. I
thought you were saying that you were experiencing more seccomp audit
events in 4.14 versus 4.13 and that you felt a regression had been
introduced. After rereading, I think you're asking why you're getting
seccomp RET_TRAP actions logged even though "trap" isn't in the
actions_logged sysctl. 

The reason is because I didn't get clear direction from the audit
folks about to do when audit is enabled and the process is being audited
and, therefore, I didn't feel comfortable rocking the boat. In that
situation, the decision to log is the same as it was in earlier kernels.
Specifically, you're hitting the last "else if" conditional in the
pseudocode above.

If you're happy with having the actions_logged sysctl control whether or
not to log seccomp actions taken for processes that are being audited,
then I think the following (untested) patch should do exactly what you
want. I imagine that you'd also want seccomp to emit audit events
whenever the value of the actions_logged sysctl is changed, which should
be pretty easy to do.

I hope this helps!

Tyler

diff --git a/include/linux/audit.h b/include/linux/audit.h
index af410d9..095b5dd 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode *parent,
 }
 void audit_core_dumps(long signr);
 
-static inline void audit_seccomp(unsigned long syscall, long signr, int code)
-{
-	if (audit_enabled && unlikely(!audit_dummy_context()))
-		__audit_seccomp(syscall, signr, code);
-}
-
 static inline void audit_ptrace(struct task_struct *t)
 {
 	if (unlikely(!audit_dummy_context()))
@@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
 { }
 static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
 { }
-static inline void audit_seccomp(unsigned long syscall, long signr, int code)
-{ }
 static inline int auditsc_get_stamp(struct audit_context *ctx,
 			      struct timespec64 *t, unsigned int *serial)
 {
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 5f0dfb2ab..914a707 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action,
 	 */
 	if (log)
 		return __audit_seccomp(syscall, signr, action);
-
-	/*
-	 * Let the audit subsystem decide if the action should be audited based
-	 * on whether the current task itself is being audited.
-	 */
-	return audit_seccomp(syscall, signr, action);
 }
 
 /*

Re: Limiting SECCOMP audit events

[Kees Cook]

On Thu, Dec 14, 2017 at 3:06 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> The reason is because I didn't get clear direction from the audit
> folks about to do when audit is enabled and the process is being audited
> and, therefore, I didn't feel comfortable rocking the boat. In that
> situation, the decision to log is the same as it was in earlier kernels.
> Specifically, you're hitting the last "else if" conditional in the
> pseudocode above.

Yeah, same for me: it's been entirely unclear what the desired
combination of audit vs seccomp should be. It seems like it should be
reporting everything when auditing a specific process, and then ...
something else? ... in the global context.

> If you're happy with having the actions_logged sysctl control whether or
> not to log seccomp actions taken for processes that are being audited,
> then I think the following (untested) patch should do exactly what you
> want. I imagine that you'd also want seccomp to emit audit events
> whenever the value of the actions_logged sysctl is changed, which should
> be pretty easy to do.
>
> I hope this helps!
>
> Tyler
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index af410d9..095b5dd 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode *parent,
>  }
>  void audit_core_dumps(long signr);
>
> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> -{
> -       if (audit_enabled && unlikely(!audit_dummy_context()))
> -               __audit_seccomp(syscall, signr, code);
> -}
> -
>  static inline void audit_ptrace(struct task_struct *t)
>  {
>         if (unlikely(!audit_dummy_context()))
> @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
>  { }
>  static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
>  { }
> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> -{ }
>  static inline int auditsc_get_stamp(struct audit_context *ctx,
>                               struct timespec64 *t, unsigned int *serial)
>  {
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 5f0dfb2ab..914a707 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action,
>          */
>         if (log)
>                 return __audit_seccomp(syscall, signr, action);
> -
> -       /*
> -        * Let the audit subsystem decide if the action should be audited based
> -        * on whether the current task itself is being audited.
> -        */
> -       return audit_seccomp(syscall, signr, action);
>  }
>
>  /*

If audit folks are happy with this, I am too. :)

-Kees

-- 
Kees Cook
Pixel Security

Re: Limiting SECCOMP audit events

[Paul Moore]

On December 14, 2017 6:06:49 PM Tyler Hicks <tyhicks@canonical.com> wrote:

> On 12/14/2017 09:19 AM, Steve Grubb wrote:
>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>>
>>> On 12/13/2017 05:58 PM, Steve Grubb wrote:
>>
>>> > Over the last month, the amount of seccomp events in audit logs is
>>
>>> > sky-rocketing. I have over a million events in the last 2 days. Most of
>>
>>> > this is generated by firefox and qt webkit.
>>
>>> >
>>
>>> > I am wondering if the audit package should ship a file for
>>
>>> >
>>
>>> > /usr/lib/sysctl.d/60-auditd.conf
>>
>>> >
>>
>>> > wherein it has
>>
>>> >
>>
>>> > kernel.seccomp.actions_logged = kill_process kill_thread errno
>>
>>>
>>
>>> I agree with Kees here. IMO, you only want "kill_process kill_thread"
>>
>>> which is the default.
>>
>>  
>>
>> The default appears to be all of the types of events without setting
>> kernel.seccomp.actions_logged.
>
> Ah, right. I didn't correctly remember the final implementation details.
> The default sysctl setting is to allow all actions except for RET_ALLOW
> to be logged.
>
> I think the easiest description of the logic is in the commit message of
> 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:
>
>     if action == RET_ALLOW:
>       do not log
>     else if action == RET_KILL && RET_KILL in actions_logged:
>       log
>     else if action == RET_LOG && RET_LOG in actions_logged:
>       log
>     else if filter-requests-logging && action in actions_logged:
>       log
>     else if audit_enabled && process-is-being-audited:
>       log
>     else:
>       do not log
>
> I think I originally misunderstood your first email in this thread. I
> thought you were saying that you were experiencing more seccomp audit
> events in 4.14 versus 4.13 and that you felt a regression had been
> introduced. After rereading, I think you're asking why you're getting
> seccomp RET_TRAP actions logged even though "trap" isn't in the
> actions_logged sysctl.
>
> The reason is because I didn't get clear direction from the audit
> folks about to do when audit is enabled and the process is being audited
> and, therefore, I didn't feel comfortable rocking the boat. In that
> situation, the decision to log is the same as it was in earlier kernels.
> Specifically, you're hitting the last "else if" conditional in the
> pseudocode above.
>
> If you're happy with having the actions_logged sysctl control whether or
> not to log seccomp actions taken for processes that are being audited,
> then I think the following (untested) patch should do exactly what you
> want. I imagine that you'd also want seccomp to emit audit events
> whenever the value of the actions_logged sysctl is changed, which should
> be pretty easy to do.
>
> I hope this helps!
>
> Tyler
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index af410d9..095b5dd 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode *parent,
>  }
>  void audit_core_dumps(long signr);
>
> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> -{
> -	if (audit_enabled && unlikely(!audit_dummy_context()))
> -		__audit_seccomp(syscall, signr, code);
> -}
> -

Looks good to me but two things:

* Change the name of __audit_seccomp() to audit_seccomp() since we don't
have two functions anymore.

* Are we sure about removing the audit_enabled check? People got pretty
upset when it wasn't there in the past.

>  static inline void audit_ptrace(struct task_struct *t)
>  {
>  	if (unlikely(!audit_dummy_context()))
> @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
>  { }
>  static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
>  { }
> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> -{ }
>  static inline int auditsc_get_stamp(struct audit_context *ctx,
>  			      struct timespec64 *t, unsigned int *serial)
>  {
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 5f0dfb2ab..914a707 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall,
> long signr, u32 action,
>  	 */
>  	if (log)
>  		return __audit_seccomp(syscall, signr, action);
> -
> -	/*
> -	 * Let the audit subsystem decide if the action should be audited based
> -	 * on whether the current task itself is being audited.
> -	 */
> -	return audit_seccomp(syscall, signr, action);
>  }
>
>  /*
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Limiting SECCOMP audit events

[Tyler Hicks]

[-- Attachment #1.1: Type: text/plain, Size: 6900 bytes --]

On 12/15/2017 08:08 AM, Paul Moore wrote:
> On December 14, 2017 6:06:49 PM Tyler Hicks <tyhicks@canonical.com> wrote:
> 
>> On 12/14/2017 09:19 AM, Steve Grubb wrote:
>>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>>>
>>>> On 12/13/2017 05:58 PM, Steve Grubb wrote:
>>>
>>>>> Over the last month, the amount of seccomp events in audit logs is
>>>
>>>>> sky-rocketing. I have over a million events in the last 2 days. Most of
>>>
>>>>> this is generated by firefox and qt webkit.
>>>
>>>>>
>>>
>>>>> I am wondering if the audit package should ship a file for
>>>
>>>>>
>>>
>>>>> /usr/lib/sysctl.d/60-auditd.conf
>>>
>>>>>
>>>
>>>>> wherein it has
>>>
>>>>>
>>>
>>>>> kernel.seccomp.actions_logged = kill_process kill_thread errno
>>>
>>>>
>>>
>>>> I agree with Kees here. IMO, you only want "kill_process kill_thread"
>>>
>>>> which is the default.
>>>
>>>  
>>>
>>> The default appears to be all of the types of events without setting
>>> kernel.seccomp.actions_logged.
>>
>> Ah, right. I didn't correctly remember the final implementation details.
>> The default sysctl setting is to allow all actions except for RET_ALLOW
>> to be logged.
>>
>> I think the easiest description of the logic is in the commit message of
>> 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:
>>
>>     if action == RET_ALLOW:
>>       do not log
>>     else if action == RET_KILL && RET_KILL in actions_logged:
>>       log
>>     else if action == RET_LOG && RET_LOG in actions_logged:
>>       log
>>     else if filter-requests-logging && action in actions_logged:
>>       log
>>     else if audit_enabled && process-is-being-audited:
>>       log
>>     else:
>>       do not log
>>
>> I think I originally misunderstood your first email in this thread. I
>> thought you were saying that you were experiencing more seccomp audit
>> events in 4.14 versus 4.13 and that you felt a regression had been
>> introduced. After rereading, I think you're asking why you're getting
>> seccomp RET_TRAP actions logged even though "trap" isn't in the
>> actions_logged sysctl.
>>
>> The reason is because I didn't get clear direction from the audit
>> folks about to do when audit is enabled and the process is being audited
>> and, therefore, I didn't feel comfortable rocking the boat. In that
>> situation, the decision to log is the same as it was in earlier kernels.
>> Specifically, you're hitting the last "else if" conditional in the
>> pseudocode above.
>>
>> If you're happy with having the actions_logged sysctl control whether or
>> not to log seccomp actions taken for processes that are being audited,
>> then I think the following (untested) patch should do exactly what you
>> want. I imagine that you'd also want seccomp to emit audit events
>> whenever the value of the actions_logged sysctl is changed, which should
>> be pretty easy to do.
>>
>> I hope this helps!
>>
>> Tyler
>>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index af410d9..095b5dd 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode *parent,
>>  }
>>  void audit_core_dumps(long signr);
>>
>> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>> -{
>> -	if (audit_enabled && unlikely(!audit_dummy_context()))
>> -		__audit_seccomp(syscall, signr, code);
>> -}
>> -
> 
> Looks good to me but two things:
> 
> * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> have two functions anymore.
> 
> * Are we sure about removing the audit_enabled check? People got pretty
> upset when it wasn't there in the past.

Do you have any references to the complaints so that we can understand
them better? I remember being surprised by commit 96368701 adding the
audit_enabled check (my fault for not watching the list closer) and
having to revert it in Ubuntu with a distro patch.


After sleeping on it for a night, I'm now unsure if the patch I sent in
this thread is what you guys really want. I'll go back to talking in
pseudocode. This is what we have in 4.14:

  if action == RET_ALLOW:
    do not log
  else if action == RET_KILL && RET_KILL in actions_logged:
    log
  else if action == RET_LOG && RET_LOG in actions_logged:
    log
  else if filter-requests-logging && action in actions_logged:
    log
  else if audit_enabled && process-is-being-audited:
    log
  else:
    do not log

This is what the patch in this thread does:

--- a/seccomp-log.pseudo
+++ b/seccomp-log.pseudo
@@ -6,7 +6,5 @@
     log
   else if filter-requests-logging && action in actions_logged:
     log
-  else if audit_enabled && process-is-being-audited:
-    log
   else:
     do not log

Instead of that change, now I'm wondering if this is what you really
want:

--- a/seccomp-log.pseudo
+++ b/seccomp-log.pseudo
@@ -6,7 +6,8 @@
     log
   else if filter-requests-logging && action in actions_logged:
     log
-  else if audit_enabled && process-is-being-audited:
+  else if audit_enabled && process-is-being-audited &&
+          action in actions_logged:
     log
   else:
     do not log

After refactoring the 'action in actions_logged' check, it would leave
us with this:

  if action == RET_ALLOW:
    do not log
  else if action not in actions_logged:
    do not log
  else if action == RET_KILL:
    log
  else if action == RET_LOG:
    log
  else if filter-requests-logging:
    log
  else if audit_enabled && process-is-being-audited:
    log
  else:
    do not log

Tyler

> 
>>  static inline void audit_ptrace(struct task_struct *t)
>>  {
>>  	if (unlikely(!audit_dummy_context()))
>> @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
>>  { }
>>  static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
>>  { }
>> -static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>> -{ }
>>  static inline int auditsc_get_stamp(struct audit_context *ctx,
>>  			      struct timespec64 *t, unsigned int *serial)
>>  {
>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>> index 5f0dfb2ab..914a707 100644
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
>> @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall,
>> long signr, u32 action,
>>  	 */
>>  	if (log)
>>  		return __audit_seccomp(syscall, signr, action);
>> -
>> -	/*
>> -	 * Let the audit subsystem decide if the action should be audited based
>> -	 * on whether the current task itself is being audited.
>> -	 */
>> -	return audit_seccomp(syscall, signr, action);
>>  }
>>
>>  /*
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Steve Grubb]

On Friday, December 15, 2017 10:47:14 AM EST Tyler Hicks wrote:
> > Looks good to me but two things:
> > 
> > * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> > have two functions anymore.
> > 
> > * Are we sure about removing the audit_enabled check? People got pretty
> > upset when it wasn't there in the past.
> 
> Do you have any references to the complaints so that we can understand
> them better? I remember being surprised by commit 96368701 adding the
> audit_enabled check (my fault for not watching the list closer) and
> having to revert it in Ubuntu with a distro patch.
> 
> 
> After sleeping on it for a night, I'm now unsure if the patch I sent in
> this thread is what you guys really want. I'll go back to talking in
> pseudocode. This is what we have in 4.14:
> 
>   if action == RET_ALLOW:
>     do not log
>   else if action == RET_KILL && RET_KILL in actions_logged:
>     log
>   else if action == RET_LOG && RET_LOG in actions_logged:
>     log
>   else if filter-requests-logging && action in actions_logged:
>     log
>   else if audit_enabled && process-is-being-audited:
>     log
>   else:
>     do not log
> 
> This is what the patch in this thread does:
> 
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,5 @@
>      log
>    else if filter-requests-logging && action in actions_logged:
>      log
> -  else if audit_enabled && process-is-being-audited:
> -    log
>    else:
>      do not log
> 
> Instead of that change, now I'm wondering if this is what you really
> want:
> 
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,8 @@
>      log
>    else if filter-requests-logging && action in actions_logged:
>      log
> -  else if audit_enabled && process-is-being-audited:
> +  else if audit_enabled && process-is-being-audited &&
> +          action in actions_logged:
>      log
>    else:
>      do not log
> 
> After refactoring the 'action in actions_logged' check, it would leave
> us with this:
> 
>   if action == RET_ALLOW:
>     do not log
>   else if action not in actions_logged:
>     do not log

Yeah, this would let us drop the trap return. While errno can lead to a lot of 
logging, in practice I just don't see them very often if ever.

-Steve

>   else if action == RET_KILL:
>     log
>   else if action == RET_LOG:
>     log
>   else if filter-requests-logging:
>     log
>   else if audit_enabled && process-is-being-audited:
>     log
>   else:
>     do not log

Re: Limiting SECCOMP audit events

[Paul Moore]

On December 15, 2017 10:47:17 AM Tyler Hicks <tyhicks@canonical.com> wrote:
> On 12/15/2017 08:08 AM, Paul Moore wrote:

...

>> * Are we sure about removing the audit_enabled check? People got pretty
>> upset when it wasn't there in the past.
>
> Do you have any references to the complaints so that we can understand
> them better? I remember being surprised by commit 96368701 adding the
> audit_enabled check (my fault for not watching the list closer) and
> having to revert it in Ubuntu with a distro patch.

I'm somewhat limited at the moment (replying by phone) so I can't my find
it for you, but check the audit mailing list for the discussion.

Re: Limiting SECCOMP audit events

[Steve Grubb]

On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote:
> On 12/14/2017 09:19 AM, Steve Grubb wrote:
> > On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> >> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> >> > Over the last month, the amount of seccomp events in audit logs is
> >> > 
> >> > sky-rocketing. I have over a million events in the last 2 days. Most of
> >> > 
> >> > this is generated by firefox and qt webkit.
> >> > 
> >> > 
> >> > 
> >> > I am wondering if the audit package should ship a file for
> >> > 
> >> > 
> >> > 
> >> > /usr/lib/sysctl.d/60-auditd.conf
> >> > 
> >> > 
> >> > 
> >> > wherein it has
> >> > 
> >> > 
> >> > 
> >> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> >> 
> >> I agree with Kees here. IMO, you only want "kill_process kill_thread"
> >> 
> >> which is the default.
> > 
> >  
> > 
> > The default appears to be all of the types of events without setting
> > kernel.seccomp.actions_logged.
> 
> Ah, right. I didn't correctly remember the final implementation details.
> The default sysctl setting is to allow all actions except for RET_ALLOW
> to be logged.
> 
> I think the easiest description of the logic is in the commit message of
> 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:
> 
>     if action == RET_ALLOW:
>       do not log
>     else if action == RET_KILL && RET_KILL in actions_logged:
>       log
>     else if action == RET_LOG && RET_LOG in actions_logged:
>       log
>     else if filter-requests-logging && action in actions_logged:
>       log
>     else if audit_enabled && process-is-being-audited:
>       log
>     else:
>       do not log
> 
> I think I originally misunderstood your first email in this thread. I
> thought you were saying that you were experiencing more seccomp audit
> events in 4.14 versus 4.13 and that you felt a regression had been
> introduced. After rereading, I think you're asking why you're getting
> seccomp RET_TRAP actions logged even though "trap" isn't in the
> actions_logged sysctl.

Yes, exactly. I have been experiencing large amounts of SECCOMP events 
starting with qt webkit in kde and thought 4.14 would finally let me tame 
those events. I have opened a couple bz asking developers if they really meant 
to go live with a policy that is experiencing so many denials. But the 
consensus is this is intended. (But I think they also have not actually tried 
to use their audit logs.)


> The reason is because I didn't get clear direction from the audit
> folks about to do when audit is enabled and the process is being audited
> and, therefore, I didn't feel comfortable rocking the boat. In that
> situation, the decision to log is the same as it was in earlier kernels.
> Specifically, you're hitting the last "else if" conditional in the
> pseudocode above.

And here I thought you were also seeing large numbers of seccomp events and 
were making a way to control what gets logged. In any event, I think we better 
understand each other now. :-)


> If you're happy with having the actions_logged sysctl control whether or
> not to log seccomp actions taken for processes that are being audited,
> then I think the following (untested) patch should do exactly what you
> want.

OK. Great. With developers starting to use the trap return value, audit logs 
are getting swamped by benign events. We truly need a knob to eliminate the 
noise from the signal.

> I imagine that you'd also want seccomp to emit audit events whenever the
> value of the actions_logged sysctl is changed, which should be pretty easy
> to do.

Sure. If you want to add it, then it should be roughly like this:

               struct tty_struct *tty;
               const struct cred *cred;
               struct audit_buffer *ab;
               char comm[sizeof(current->comm)];

               ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
               if (unlikely(!ab))
                       return;

               cred = current_cred();
               tty = audit_get_tty(current);
               audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
                               task_tgid_nr(current),
                               from_kuid(&init_user_ns, cred->uid),
                               from_kuid(&init_user_ns,
                               audit_get_loginuid(current)),
                               tty ? tty_name(tty) : "(none)",
                               audit_get_sessionid(current));
               audit_put_tty(tty);
               audit_log_task_context(ab);
               audit_log_format(ab, " comm=");
               audit_log_untrustedstring(ab, get_task_comm(comm, current));
               audit_log_d_path_exe(ab, current->mm);
               audit_log_format(ab, "op=seccomp-logging");

<You can log the new value here if you wish - just can't have spaces in the 
value. Numbers or mask is fine.>

               audit_log_format(ab, " res=%u", res);

where res above is a 1 for success and 0 for failure. Failure is likely to be 
due to not having the capability that allows setting the sysctl.

> I hope this helps!

Thanks!

-Steve

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index af410d9..095b5dd 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode
> *parent, }
>  void audit_core_dumps(long signr);
> 
> -static inline void audit_seccomp(unsigned long syscall, long signr, int
> code) -{
> -	if (audit_enabled && unlikely(!audit_dummy_context()))
> -		__audit_seccomp(syscall, signr, code);
> -}
> -
>  static inline void audit_ptrace(struct task_struct *t)
>  {
>  	if (unlikely(!audit_dummy_context()))
> @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
>  { }
>  static inline void __audit_seccomp(unsigned long syscall, long signr, int
> code) { }
> -static inline void audit_seccomp(unsigned long syscall, long signr, int
> code) -{ }
>  static inline int auditsc_get_stamp(struct audit_context *ctx,
>  			      struct timespec64 *t, unsigned int *serial)
>  {
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 5f0dfb2ab..914a707 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall,
> long signr, u32 action, */
>  	if (log)
>  		return __audit_seccomp(syscall, signr, action);
> -
> -	/*
> -	 * Let the audit subsystem decide if the action should be audited based
> -	 * on whether the current task itself is being audited.
> -	 */
> -	return audit_seccomp(syscall, signr, action);
>  }
> 
>  /*

Re: Limiting SECCOMP audit events

[Steve Grubb]

Hello,

I know people have been busy with the holidays and things...but I just wanted 
to mention I'm still seeing 100's of thousands of seccomp events hitting the 
audit logs every day.

# ausearch --start today -m seccomp --raw | aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
209843  /usr/lib64/firefox/firefox
2196  /usr/lib64/qt5/libexec/QtWebEngineProcess

Has anyone looked at it beyond pseudo code?

-Steve

On Friday, December 15, 2017 11:02:19 AM EST Steve Grubb wrote:
> On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote:
> > On 12/14/2017 09:19 AM, Steve Grubb wrote:
> > > On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
> > >> On 12/13/2017 05:58 PM, Steve Grubb wrote:
> > >> > Over the last month, the amount of seccomp events in audit logs is
> > >> > 
> > >> > sky-rocketing. I have over a million events in the last 2 days. Most
> > >> > of
> > >> > 
> > >> > this is generated by firefox and qt webkit.
> > >> > 
> > >> > I am wondering if the audit package should ship a file for
> > >> > 
> > >> > /usr/lib/sysctl.d/60-auditd.conf
> > >> > 
> > >> > wherein it has
> > >> > 
> > >> > kernel.seccomp.actions_logged = kill_process kill_thread errno
> > >> 
> > >> I agree with Kees here. IMO, you only want "kill_process kill_thread"
> > >> 
> > >> which is the default.
> > > 
> > > The default appears to be all of the types of events without setting
> > > kernel.seccomp.actions_logged.
> > 
> > Ah, right. I didn't correctly remember the final implementation details.
> > The default sysctl setting is to allow all actions except for RET_ALLOW
> > to be logged.
> > 
> > I think the easiest description of the logic is in the commit message of
> > 
> > 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:
> >     if action == RET_ALLOW:
> >       do not log
> >     
> >     else if action == RET_KILL && RET_KILL in actions_logged:
> >       log
> >     
> >     else if action == RET_LOG && RET_LOG in actions_logged:
> >       log
> >     
> >     else if filter-requests-logging && action in actions_logged:
> >       log
> >     
> >     else if audit_enabled && process-is-being-audited:
> >       log
> >     
> >     else:
> >       do not log
> > 
> > I think I originally misunderstood your first email in this thread. I
> > thought you were saying that you were experiencing more seccomp audit
> > events in 4.14 versus 4.13 and that you felt a regression had been
> > introduced. After rereading, I think you're asking why you're getting
> > seccomp RET_TRAP actions logged even though "trap" isn't in the
> > actions_logged sysctl.
> 
> Yes, exactly. I have been experiencing large amounts of SECCOMP events
> starting with qt webkit in kde and thought 4.14 would finally let me tame
> those events. I have opened a couple bz asking developers if they really
> meant to go live with a policy that is experiencing so many denials. But
> the consensus is this is intended. (But I think they also have not
> actually tried to use their audit logs.)
> 
> > The reason is because I didn't get clear direction from the audit
> > folks about to do when audit is enabled and the process is being audited
> > and, therefore, I didn't feel comfortable rocking the boat. In that
> > situation, the decision to log is the same as it was in earlier kernels.
> > Specifically, you're hitting the last "else if" conditional in the
> > pseudocode above.
> 
> And here I thought you were also seeing large numbers of seccomp events and
> were making a way to control what gets logged. In any event, I think we
> better understand each other now. :-)
> 
> > If you're happy with having the actions_logged sysctl control whether or
> > not to log seccomp actions taken for processes that are being audited,
> > then I think the following (untested) patch should do exactly what you
> > want.
> 
> OK. Great. With developers starting to use the trap return value, audit
> logs are getting swamped by benign events. We truly need a knob to
> eliminate the noise from the signal.
> 
> > I imagine that you'd also want seccomp to emit audit events whenever the
> > value of the actions_logged sysctl is changed, which should be pretty
> > easy
> > to do.
> 
> Sure. If you want to add it, then it should be roughly like this:
> 
>                struct tty_struct *tty;
>                const struct cred *cred;
>                struct audit_buffer *ab;
>                char comm[sizeof(current->comm)];
> 
>                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
>                        return;
> 
>                cred = current_cred();
>                tty = audit_get_tty(current);
>                audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
>                                task_tgid_nr(current),
>                                from_kuid(&init_user_ns, cred->uid),
>                                from_kuid(&init_user_ns,
>                                audit_get_loginuid(current)),
>                                tty ? tty_name(tty) : "(none)",
>                                audit_get_sessionid(current));
>                audit_put_tty(tty);
>                audit_log_task_context(ab);
>                audit_log_format(ab, " comm=");
>                audit_log_untrustedstring(ab, get_task_comm(comm, current));
> audit_log_d_path_exe(ab, current->mm);
>                audit_log_format(ab, "op=seccomp-logging");
> 
> <You can log the new value here if you wish - just can't have spaces in the
> value. Numbers or mask is fine.>
> 
>                audit_log_format(ab, " res=%u", res);
> 
> where res above is a 1 for success and 0 for failure. Failure is likely to
> be due to not having the capability that allows setting the sysctl.
> 
> > I hope this helps!
> 
> Thanks!
> 
> -Steve
> 
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index af410d9..095b5dd 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode
> > *parent, }
> > 
> >  void audit_core_dumps(long signr);
> > 
> > -static inline void audit_seccomp(unsigned long syscall, long signr, int
> > code) -{
> > -	if (audit_enabled && unlikely(!audit_dummy_context()))
> > -		__audit_seccomp(syscall, signr, code);
> > -}
> > -
> > 
> >  static inline void audit_ptrace(struct task_struct *t)
> >  {
> >  
> >  	if (unlikely(!audit_dummy_context()))
> > 
> > @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
> > 
> >  { }
> >  static inline void __audit_seccomp(unsigned long syscall, long signr,
> >  int
> > 
> > code) { }
> > -static inline void audit_seccomp(unsigned long syscall, long signr, int
> > code) -{ }
> > 
> >  static inline int auditsc_get_stamp(struct audit_context *ctx,
> >  
> >  			      struct timespec64 *t, unsigned int *serial)
> >  
> >  {
> > 
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index 5f0dfb2ab..914a707 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long
> > syscall,
> > long signr, u32 action, */
> > 
> >  	if (log)
> >  	
> >  		return __audit_seccomp(syscall, signr, action);
> > 
> > -
> > -	/*
> > -	 * Let the audit subsystem decide if the action should be audited 
based
> > -	 * on whether the current task itself is being audited.
> > -	 */
> > -	return audit_seccomp(syscall, signr, action);
> > 
> >  }
> >  
> >  /*
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Limiting SECCOMP audit events

[Tyler Hicks]

[-- Attachment #1.1.1: Type: text/plain, Size: 8196 bytes --]

On 01/02/2018 02:03 PM, Steve Grubb wrote:
> Hello,
> 
> I know people have been busy with the holidays and things...but I just wanted 
> to mention I'm still seeing 100's of thousands of seccomp events hitting the 
> audit logs every day.
> 
> # ausearch --start today -m seccomp --raw | aureport -x --summary
> 
> Executable Summary Report
> =================================
> total  file
> =================================
> 209843  /usr/lib64/firefox/firefox
> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
> 
> Has anyone looked at it beyond pseudo code?

I started to throw together a quick couple of patches prior to the
holidays but didn't finish. Things aren't looking good for the next few
weeks for me so someone else should take over if it is important for 4.16.

Tyler

> 
> -Steve
> 
> On Friday, December 15, 2017 11:02:19 AM EST Steve Grubb wrote:
>> On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote:
>>> On 12/14/2017 09:19 AM, Steve Grubb wrote:
>>>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>>>>> On 12/13/2017 05:58 PM, Steve Grubb wrote:
>>>>>> Over the last month, the amount of seccomp events in audit logs is
>>>>>>
>>>>>> sky-rocketing. I have over a million events in the last 2 days. Most
>>>>>> of
>>>>>>
>>>>>> this is generated by firefox and qt webkit.
>>>>>>
>>>>>> I am wondering if the audit package should ship a file for
>>>>>>
>>>>>> /usr/lib/sysctl.d/60-auditd.conf
>>>>>>
>>>>>> wherein it has
>>>>>>
>>>>>> kernel.seccomp.actions_logged = kill_process kill_thread errno
>>>>>
>>>>> I agree with Kees here. IMO, you only want "kill_process kill_thread"
>>>>>
>>>>> which is the default.
>>>>
>>>> The default appears to be all of the types of events without setting
>>>> kernel.seccomp.actions_logged.
>>>
>>> Ah, right. I didn't correctly remember the final implementation details.
>>> The default sysctl setting is to allow all actions except for RET_ALLOW
>>> to be logged.
>>>
>>> I think the easiest description of the logic is in the commit message of
>>>
>>> 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4:
>>>     if action == RET_ALLOW:
>>>       do not log
>>>     
>>>     else if action == RET_KILL && RET_KILL in actions_logged:
>>>       log
>>>     
>>>     else if action == RET_LOG && RET_LOG in actions_logged:
>>>       log
>>>     
>>>     else if filter-requests-logging && action in actions_logged:
>>>       log
>>>     
>>>     else if audit_enabled && process-is-being-audited:
>>>       log
>>>     
>>>     else:
>>>       do not log
>>>
>>> I think I originally misunderstood your first email in this thread. I
>>> thought you were saying that you were experiencing more seccomp audit
>>> events in 4.14 versus 4.13 and that you felt a regression had been
>>> introduced. After rereading, I think you're asking why you're getting
>>> seccomp RET_TRAP actions logged even though "trap" isn't in the
>>> actions_logged sysctl.
>>
>> Yes, exactly. I have been experiencing large amounts of SECCOMP events
>> starting with qt webkit in kde and thought 4.14 would finally let me tame
>> those events. I have opened a couple bz asking developers if they really
>> meant to go live with a policy that is experiencing so many denials. But
>> the consensus is this is intended. (But I think they also have not
>> actually tried to use their audit logs.)
>>
>>> The reason is because I didn't get clear direction from the audit
>>> folks about to do when audit is enabled and the process is being audited
>>> and, therefore, I didn't feel comfortable rocking the boat. In that
>>> situation, the decision to log is the same as it was in earlier kernels.
>>> Specifically, you're hitting the last "else if" conditional in the
>>> pseudocode above.
>>
>> And here I thought you were also seeing large numbers of seccomp events and
>> were making a way to control what gets logged. In any event, I think we
>> better understand each other now. :-)
>>
>>> If you're happy with having the actions_logged sysctl control whether or
>>> not to log seccomp actions taken for processes that are being audited,
>>> then I think the following (untested) patch should do exactly what you
>>> want.
>>
>> OK. Great. With developers starting to use the trap return value, audit
>> logs are getting swamped by benign events. We truly need a knob to
>> eliminate the noise from the signal.
>>
>>> I imagine that you'd also want seccomp to emit audit events whenever the
>>> value of the actions_logged sysctl is changed, which should be pretty
>>> easy
>>> to do.
>>
>> Sure. If you want to add it, then it should be roughly like this:
>>
>>                struct tty_struct *tty;
>>                const struct cred *cred;
>>                struct audit_buffer *ab;
>>                char comm[sizeof(current->comm)];
>>
>>                ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
>> if (unlikely(!ab))
>>                        return;
>>
>>                cred = current_cred();
>>                tty = audit_get_tty(current);
>>                audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
>>                                task_tgid_nr(current),
>>                                from_kuid(&init_user_ns, cred->uid),
>>                                from_kuid(&init_user_ns,
>>                                audit_get_loginuid(current)),
>>                                tty ? tty_name(tty) : "(none)",
>>                                audit_get_sessionid(current));
>>                audit_put_tty(tty);
>>                audit_log_task_context(ab);
>>                audit_log_format(ab, " comm=");
>>                audit_log_untrustedstring(ab, get_task_comm(comm, current));
>> audit_log_d_path_exe(ab, current->mm);
>>                audit_log_format(ab, "op=seccomp-logging");
>>
>> <You can log the new value here if you wish - just can't have spaces in the
>> value. Numbers or mask is fine.>
>>
>>                audit_log_format(ab, " res=%u", res);
>>
>> where res above is a 1 for success and 0 for failure. Failure is likely to
>> be due to not having the capability that allows setting the sysctl.
>>
>>> I hope this helps!
>>
>> Thanks!
>>
>> -Steve
>>
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index af410d9..095b5dd 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode
>>> *parent, }
>>>
>>>  void audit_core_dumps(long signr);
>>>
>>> -static inline void audit_seccomp(unsigned long syscall, long signr, int
>>> code) -{
>>> -	if (audit_enabled && unlikely(!audit_dummy_context()))
>>> -		__audit_seccomp(syscall, signr, code);
>>> -}
>>> -
>>>
>>>  static inline void audit_ptrace(struct task_struct *t)
>>>  {
>>>  
>>>  	if (unlikely(!audit_dummy_context()))
>>>
>>> @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr)
>>>
>>>  { }
>>>  static inline void __audit_seccomp(unsigned long syscall, long signr,
>>>  int
>>>
>>> code) { }
>>> -static inline void audit_seccomp(unsigned long syscall, long signr, int
>>> code) -{ }
>>>
>>>  static inline int auditsc_get_stamp(struct audit_context *ctx,
>>>  
>>>  			      struct timespec64 *t, unsigned int *serial)
>>>  
>>>  {
>>>
>>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>>> index 5f0dfb2ab..914a707 100644
>>> --- a/kernel/seccomp.c
>>> +++ b/kernel/seccomp.c
>>> @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long
>>> syscall,
>>> long signr, u32 action, */
>>>
>>>  	if (log)
>>>  	
>>>  		return __audit_seccomp(syscall, signr, action);
>>>
>>> -
>>> -	/*
>>> -	 * Let the audit subsystem decide if the action should be audited 
> based
>>> -	 * on whether the current task itself is being audited.
>>> -	 */
>>> -	return audit_seccomp(syscall, signr, action);
>>>
>>>  }
>>>  
>>>  /*
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Paul Moore]

On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> On 01/02/2018 02:03 PM, Steve Grubb wrote:
>> Hello,
>>
>> I know people have been busy with the holidays and things...but I just wanted
>> to mention I'm still seeing 100's of thousands of seccomp events hitting the
>> audit logs every day.
>>
>> # ausearch --start today -m seccomp --raw | aureport -x --summary
>>
>> Executable Summary Report
>> =================================
>> total  file
>> =================================
>> 209843  /usr/lib64/firefox/firefox
>> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
>>
>> Has anyone looked at it beyond pseudo code?
>
> I started to throw together a quick couple of patches prior to the
> holidays but didn't finish. Things aren't looking good for the next few
> weeks for me so someone else should take over if it is important for 4.16.
>
> Tyler

This is also on my todo list, but it sits behind fixing one last
libseccomp bug and getting a new release out.  I made some good
progress on the libseccomp bug right before the holiday, but I think
there is still a days worth of work left before it is ready to be
merged.  I'm also traveling for the next week so I doubt I'll have any
serious time to devote to the kernel patch(es).

I can't remember what Tyler's last thought was on the logic, but I
imagine I'll just wait until I see some patches to review/merge, or I
can go back in the thread if I happen to have time before anyone else.

Also, to set expectations, since we are currently at -rc6, this is
likely going to need to wait until 4.17 at the earliest as I generally
don't like merging new functionality in the last week or two before
the merge window.

Also (part two), we should add a test case to the audit-testsuite for
any new knobs that affect the SECCOMP records.

-- 
paul moore
www.paul-moore.com

Re: Limiting SECCOMP audit events

[Steve Grubb]

Hello,

Ping?  SECCOMP events are still flooding the system. Can we do something 
hackish to turn this off until a better solution can be created?

Thanks,
-Steve


On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> > On 01/02/2018 02:03 PM, Steve Grubb wrote:
> >> Hello,
> >> 
> >> I know people have been busy with the holidays and things...but I just
> >> wanted to mention I'm still seeing 100's of thousands of seccomp events
> >> hitting the audit logs every day.
> >> 
> >> # ausearch --start today -m seccomp --raw | aureport -x --summary
> >> 
> >> Executable Summary Report
> >> =================================
> >> total  file
> >> =================================
> >> 209843  /usr/lib64/firefox/firefox
> >> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
> >> 
> >> Has anyone looked at it beyond pseudo code?
> > 
> > I started to throw together a quick couple of patches prior to the
> > holidays but didn't finish. Things aren't looking good for the next few
> > weeks for me so someone else should take over if it is important for
> > 4.16.
> > 
> > Tyler
> 
> This is also on my todo list, but it sits behind fixing one last
> libseccomp bug and getting a new release out.  I made some good
> progress on the libseccomp bug right before the holiday, but I think
> there is still a days worth of work left before it is ready to be
> merged.  I'm also traveling for the next week so I doubt I'll have any
> serious time to devote to the kernel patch(es).
> 
> I can't remember what Tyler's last thought was on the logic, but I
> imagine I'll just wait until I see some patches to review/merge, or I
> can go back in the thread if I happen to have time before anyone else.
> 
> Also, to set expectations, since we are currently at -rc6, this is
> likely going to need to wait until 4.17 at the earliest as I generally
> don't like merging new functionality in the last week or two before
> the merge window.
> 
> Also (part two), we should add a test case to the audit-testsuite for
> any new knobs that affect the SECCOMP records.

Re: Limiting SECCOMP audit events

[Paul Moore]

On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> Ping?  SECCOMP events are still flooding the system. Can we do something
> hackish to turn this off until a better solution can be created?

Pong?

The only workarounds I can think of would be to disable audit or
create a filter rule excluding auditing for the noisy process.  I've
never tried the latter, but I'm pretty sure it would work.

> On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
>> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
>> > On 01/02/2018 02:03 PM, Steve Grubb wrote:
>> >> Hello,
>> >>
>> >> I know people have been busy with the holidays and things...but I just
>> >> wanted to mention I'm still seeing 100's of thousands of seccomp events
>> >> hitting the audit logs every day.
>> >>
>> >> # ausearch --start today -m seccomp --raw | aureport -x --summary
>> >>
>> >> Executable Summary Report
>> >> =================================
>> >> total  file
>> >> =================================
>> >> 209843  /usr/lib64/firefox/firefox
>> >> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
>> >>
>> >> Has anyone looked at it beyond pseudo code?
>> >
>> > I started to throw together a quick couple of patches prior to the
>> > holidays but didn't finish. Things aren't looking good for the next few
>> > weeks for me so someone else should take over if it is important for
>> > 4.16.
>> >
>> > Tyler
>>
>> This is also on my todo list, but it sits behind fixing one last
>> libseccomp bug and getting a new release out.  I made some good
>> progress on the libseccomp bug right before the holiday, but I think
>> there is still a days worth of work left before it is ready to be
>> merged.  I'm also traveling for the next week so I doubt I'll have any
>> serious time to devote to the kernel patch(es).
>>
>> I can't remember what Tyler's last thought was on the logic, but I
>> imagine I'll just wait until I see some patches to review/merge, or I
>> can go back in the thread if I happen to have time before anyone else.
>>
>> Also, to set expectations, since we are currently at -rc6, this is
>> likely going to need to wait until 4.17 at the earliest as I generally
>> don't like merging new functionality in the last week or two before
>> the merge window.
>>
>> Also (part two), we should add a test case to the audit-testsuite for
>> any new knobs that affect the SECCOMP records.
>
>
>
>



-- 
paul moore
www.paul-moore.com

Re: Limiting SECCOMP audit events

[Tyler Hicks]

[-- Attachment #1.1.1: Type: text/plain, Size: 3898 bytes --]

On 04/17/2018 08:57 PM, Paul Moore wrote:
> On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> Hello,
>>
>> Ping?  SECCOMP events are still flooding the system. Can we do something
>> hackish to turn this off until a better solution can be created?
> 
> Pong?
> 
> The only workarounds I can think of would be to disable audit or
> create a filter rule excluding auditing for the noisy process.  I've
> never tried the latter, but I'm pretty sure it would work.

I've pushed two branches which have slightly different behaviors. They
only differ by the last patch in each branch. The tree is here:

https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/

1) seccomp-auditing/option-1-consistent-behavior
   This branch removes all special casing around audited processes. The
   decision on whether or not to audit an action no longer considers
   whether or not the process is being audited. RET_TRAP, RET_TRACE,
   and RET_ERRNO actions will only be logged if the application loads
   the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has
   the final say via the kernel.seccomp.actions_logged sysctl.

2) seccomp-auditing/option-2-honor-sysctl
   This branch continues to special case audited processes. The decision
   to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the
   SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being
   audited. The admin has the final say via the
   kernel.seccomp.actions_logged sysctl.

I prefer option #1. Play with both implementations and let me know what
works best for your requirements. Both branches share the same
underlying patches for emitting audit records on writes to the
kernel.seccomp.actions_logged sysctl.

Tyler

> 
>> On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
>>> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
>>>> On 01/02/2018 02:03 PM, Steve Grubb wrote:
>>>>> Hello,
>>>>>
>>>>> I know people have been busy with the holidays and things...but I just
>>>>> wanted to mention I'm still seeing 100's of thousands of seccomp events
>>>>> hitting the audit logs every day.
>>>>>
>>>>> # ausearch --start today -m seccomp --raw | aureport -x --summary
>>>>>
>>>>> Executable Summary Report
>>>>> =================================
>>>>> total  file
>>>>> =================================
>>>>> 209843  /usr/lib64/firefox/firefox
>>>>> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
>>>>>
>>>>> Has anyone looked at it beyond pseudo code?
>>>>
>>>> I started to throw together a quick couple of patches prior to the
>>>> holidays but didn't finish. Things aren't looking good for the next few
>>>> weeks for me so someone else should take over if it is important for
>>>> 4.16.
>>>>
>>>> Tyler
>>>
>>> This is also on my todo list, but it sits behind fixing one last
>>> libseccomp bug and getting a new release out.  I made some good
>>> progress on the libseccomp bug right before the holiday, but I think
>>> there is still a days worth of work left before it is ready to be
>>> merged.  I'm also traveling for the next week so I doubt I'll have any
>>> serious time to devote to the kernel patch(es).
>>>
>>> I can't remember what Tyler's last thought was on the logic, but I
>>> imagine I'll just wait until I see some patches to review/merge, or I
>>> can go back in the thread if I happen to have time before anyone else.
>>>
>>> Also, to set expectations, since we are currently at -rc6, this is
>>> likely going to need to wait until 4.17 at the earliest as I generally
>>> don't like merging new functionality in the last week or two before
>>> the merge window.
>>>
>>> Also (part two), we should add a test case to the audit-testsuite for
>>> any new knobs that affect the SECCOMP records.
>>
>>
>>
>>
> 
> 
> 



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Limiting SECCOMP audit events

[Paul Moore]

On Tue, Apr 24, 2018 at 8:00 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> On 04/17/2018 08:57 PM, Paul Moore wrote:
>> On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> Hello,
>>>
>>> Ping?  SECCOMP events are still flooding the system. Can we do something
>>> hackish to turn this off until a better solution can be created?
>>
>> Pong?
>>
>> The only workarounds I can think of would be to disable audit or
>> create a filter rule excluding auditing for the noisy process.  I've
>> never tried the latter, but I'm pretty sure it would work.
>
> I've pushed two branches which have slightly different behaviors. They
> only differ by the last patch in each branch. The tree is here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/
>
> 1) seccomp-auditing/option-1-consistent-behavior
>    This branch removes all special casing around audited processes. The
>    decision on whether or not to audit an action no longer considers
>    whether or not the process is being audited. RET_TRAP, RET_TRACE,
>    and RET_ERRNO actions will only be logged if the application loads
>    the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has
>    the final say via the kernel.seccomp.actions_logged sysctl.
>
> 2) seccomp-auditing/option-2-honor-sysctl
>    This branch continues to special case audited processes. The decision
>    to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the
>    SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being
>    audited. The admin has the final say via the
>    kernel.seccomp.actions_logged sysctl.
>
> I prefer option #1. Play with both implementations and let me know what
> works best for your requirements. Both branches share the same
> underlying patches for emitting audit records on writes to the
> kernel.seccomp.actions_logged sysctl.

Looking quickly at the two branches, I think I prefer the
option-1-consistent-behavior approach, although some changes are
needed.  Could you post those patches to list for review/discussion?

-- 
paul moore
www.paul-moore.com