From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758903AbdACNbw (ORCPT ); Tue, 3 Jan 2017 08:31:52 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:42281 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757660AbdACNb1 (ORCPT ); Tue, 3 Jan 2017 08:31:27 -0500 From: Tyler Hicks Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions To: Paul Moore References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> Cc: Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, linux-kernel@vger.kernel.org Message-ID: <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> Date: Tue, 3 Jan 2017 07:31:16 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9 Content-Type: multipart/mixed; boundary="PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk"; protected-headers="v1" From: Tyler Hicks To: Paul Moore Cc: Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, linux-kernel@vger.kernel.org Message-ID: <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> In-Reply-To: --PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/02/2017 04:47 PM, Paul Moore wrote: > On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks wr= ote: >> This patch set creates the basis for auditing information specific to = a given >> seccomp return action and then starts auditing SECCOMP_RET_ERRNO retur= n >> actions. The audit messages for SECCOMP_RET_ERRNO return actions inclu= de the >> errno value that will be returned to userspace. >=20 > I'm replying to this patchset posting because it his my inbox first, > but my comments here apply to both this patchset and the other > seccomp/audit patchset you posted. >=20 > In my experience, we have two or three problems (the count varies > depending on perspective) when it comes to seccomp filter reporting: >=20 > 1. Inability to log all filter actions. > 2. Inability to selectively enable filtering; e.g. devs want noisy > logging, users want relative quiet. > 3. Consistent behavior with audit enabled and disabled. Agreed. Those three logging issues are what have been nagging me the most= =2E > My current thinking - forgive me, this has been kicking around in my > head for the better part of six months (longer?) and I haven't > attempted to code it up - is to create a sysctl knob for a system wide > seccomp logging threshold that would be applied to the high 16-bits of > *every* triggered action: if the action was at/below the threshold a > record would be emitted, otherwise silence. This should resolve > problems #1 and #2, and the code should be relatively straightforward > and small. I like that idea quite a bit. To be completely honest, for #1, I personally only care about logging SECCOMP_RET_ERRNO actions but this idea solves it in a nice and general way. > As part of the code above, I expect that all seccomp logging would get > routed through a single logging function (sort of like a better > implementation of the existing audit_seccomp()) that would check the > threshold and trigger the logging if needed. This function could be > augmented to check for CONFIG_AUDIT and in the case where audit was > not built into the kernel, a simple printk could be used to log the > seccomp event; solving problem #3. That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we build with CONFIG_AUDIT enabled but don't ship auditd by default so audit_enabled is false. In that default configuration, we still want seccomp audit messages to be printk'ed. I'll need to figure out how to cleanly allow opting into seccomp audit messages when CONFIG_AUDIT is enabled and audit_enabled is false. > We could also add a SECCOMP_RET_AUDIT, or similar, if we still feel > that is important (I personally waffle on this), but I think that is > independent of the ideas above. I agree that it is independent but SECCOMP_RET_AUDIT would still be important to Ubuntu. Tyler --PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk-- --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYa6ekAAoJENaSAD2qAscKeIMP/1vncWWinbg6UipgnahHNizI 7mHJl53NpFkyZih5QGkQKzr0GzbXvBWHDMfH5rLQfxLn8kLtXGEFIPnukS35tAn7 wsenLbV65I2SRx03QkWZMgQuCp13T9YWNjY+vN3RKEqOltME7ITTryNpP+/xjTNp caX5QGlYFWK6woOPrt/a6RkpvOQLg/7NfxOxR68XLdWBrkzrP2RNlcltf7iACZTZ DuvPSlupdTng4kd2RABYkCXoAbWzRHzLlK/YOxl4zCZF4sQ+L0OCTZcC2TC4dpub CYppDbjO/faDcEMMYAZQhKPxCJgxAKflGP66QEClycFRMKrMEGw3nTY1FR3QlO9S a7ymOfmGCr1yBzMDm1OmtWu6P2unk01Tm+R4hM/0H33Y1qsc0yuY3/3yjOjhgvjD dZTFGd9NYENSNzoXNZD/r/D6d9ggHx1nCHwo3vAO5wjCF36Bf4GtSgxfmqf9whjP AiDvYFQQ8BBy6qpq4lSke9J07EUQtepQuecrxLvxYUY2Z95ZBGdSGv0quErUEytH gWjA7rHtsY5bCR3RKz94E6j/8z34i6cvxuYvLQ9hlKWsNqf632koZZKuAEFRjHIW mRw+hOUbHhZBZH57HzCm6HX8lGk4CvzSBnFABjfKGI801fAGD80XKgeSitEFGrWn CZxd+WNcX3YKomL5kNTA =n5uq -----END PGP SIGNATURE----- --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tyler Hicks Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Date: Tue, 3 Jan 2017 07:31:16 -0600 Message-ID: <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4597771682702444888==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Moore Cc: Will Drewry , linux-kernel@vger.kernel.org, Andy Lutomirski , linux-audit@redhat.com List-Id: linux-audit@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============4597771682702444888== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9 Content-Type: multipart/mixed; boundary="PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk"; protected-headers="v1" From: Tyler Hicks To: Paul Moore Cc: Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, linux-kernel@vger.kernel.org Message-ID: <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> In-Reply-To: --PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/02/2017 04:47 PM, Paul Moore wrote: > On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks wr= ote: >> This patch set creates the basis for auditing information specific to = a given >> seccomp return action and then starts auditing SECCOMP_RET_ERRNO retur= n >> actions. The audit messages for SECCOMP_RET_ERRNO return actions inclu= de the >> errno value that will be returned to userspace. >=20 > I'm replying to this patchset posting because it his my inbox first, > but my comments here apply to both this patchset and the other > seccomp/audit patchset you posted. >=20 > In my experience, we have two or three problems (the count varies > depending on perspective) when it comes to seccomp filter reporting: >=20 > 1. Inability to log all filter actions. > 2. Inability to selectively enable filtering; e.g. devs want noisy > logging, users want relative quiet. > 3. Consistent behavior with audit enabled and disabled. Agreed. Those three logging issues are what have been nagging me the most= =2E > My current thinking - forgive me, this has been kicking around in my > head for the better part of six months (longer?) and I haven't > attempted to code it up - is to create a sysctl knob for a system wide > seccomp logging threshold that would be applied to the high 16-bits of > *every* triggered action: if the action was at/below the threshold a > record would be emitted, otherwise silence. This should resolve > problems #1 and #2, and the code should be relatively straightforward > and small. I like that idea quite a bit. To be completely honest, for #1, I personally only care about logging SECCOMP_RET_ERRNO actions but this idea solves it in a nice and general way. > As part of the code above, I expect that all seccomp logging would get > routed through a single logging function (sort of like a better > implementation of the existing audit_seccomp()) that would check the > threshold and trigger the logging if needed. This function could be > augmented to check for CONFIG_AUDIT and in the case where audit was > not built into the kernel, a simple printk could be used to log the > seccomp event; solving problem #3. That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we build with CONFIG_AUDIT enabled but don't ship auditd by default so audit_enabled is false. In that default configuration, we still want seccomp audit messages to be printk'ed. I'll need to figure out how to cleanly allow opting into seccomp audit messages when CONFIG_AUDIT is enabled and audit_enabled is false. > We could also add a SECCOMP_RET_AUDIT, or similar, if we still feel > that is important (I personally waffle on this), but I think that is > independent of the ideas above. I agree that it is independent but SECCOMP_RET_AUDIT would still be important to Ubuntu. Tyler --PBG7iQOlFBxtt0gF1vj7GdU2tHE5fX6lk-- --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYa6ekAAoJENaSAD2qAscKeIMP/1vncWWinbg6UipgnahHNizI 7mHJl53NpFkyZih5QGkQKzr0GzbXvBWHDMfH5rLQfxLn8kLtXGEFIPnukS35tAn7 wsenLbV65I2SRx03QkWZMgQuCp13T9YWNjY+vN3RKEqOltME7ITTryNpP+/xjTNp caX5QGlYFWK6woOPrt/a6RkpvOQLg/7NfxOxR68XLdWBrkzrP2RNlcltf7iACZTZ DuvPSlupdTng4kd2RABYkCXoAbWzRHzLlK/YOxl4zCZF4sQ+L0OCTZcC2TC4dpub CYppDbjO/faDcEMMYAZQhKPxCJgxAKflGP66QEClycFRMKrMEGw3nTY1FR3QlO9S a7ymOfmGCr1yBzMDm1OmtWu6P2unk01Tm+R4hM/0H33Y1qsc0yuY3/3yjOjhgvjD dZTFGd9NYENSNzoXNZD/r/D6d9ggHx1nCHwo3vAO5wjCF36Bf4GtSgxfmqf9whjP AiDvYFQQ8BBy6qpq4lSke9J07EUQtepQuecrxLvxYUY2Z95ZBGdSGv0quErUEytH gWjA7rHtsY5bCR3RKz94E6j/8z34i6cvxuYvLQ9hlKWsNqf632koZZKuAEFRjHIW mRw+hOUbHhZBZH57HzCm6HX8lGk4CvzSBnFABjfKGI801fAGD80XKgeSitEFGrWn CZxd+WNcX3YKomL5kNTA =n5uq -----END PGP SIGNATURE----- --b9SgfVr1POkbwsHOoCp5ROuChQSU1efA9-- --===============4597771682702444888== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4597771682702444888==--