From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1759242AbdACNyQ (ORCPT <rfc822;w@1wt.eu>);
        Tue, 3 Jan 2017 08:54:16 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:42462 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757804AbdACNyF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Jan 2017 08:54:05 -0500
Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions
To: Andy Lutomirski <luto@kernel.org>
References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com>
 <CALCETrW7sYuUG12DQzgj1pui16KufdBU_3kMw7s3g5oaPpebDg@mail.gmail.com>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
        Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
        linux-audit@redhat.com,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
From: Tyler Hicks <tyhicks@canonical.com>
Message-ID: <9233ff93-16e7-6852-ec62-cb91af647fd3@canonical.com>
Date: Tue, 3 Jan 2017 07:53:48 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CALCETrW7sYuUG12DQzgj1pui16KufdBU_3kMw7s3g5oaPpebDg@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="F9sxxOPeNECrNS3kIi6maV9lE7Lh2tkmT"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--F9sxxOPeNECrNS3kIi6maV9lE7Lh2tkmT
Content-Type: multipart/mixed; boundary="US9BvvLPBvDTwsAaOiNAQEe1T5XeofNRs";
 protected-headers="v1"
From: Tyler Hicks <tyhicks@canonical.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
 Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
 linux-audit@redhat.com,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Message-ID: <9233ff93-16e7-6852-ec62-cb91af647fd3@canonical.com>
Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions
References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com>
 <CALCETrW7sYuUG12DQzgj1pui16KufdBU_3kMw7s3g5oaPpebDg@mail.gmail.com>
In-Reply-To: <CALCETrW7sYuUG12DQzgj1pui16KufdBU_3kMw7s3g5oaPpebDg@mail.gmail.com>

--US9BvvLPBvDTwsAaOiNAQEe1T5XeofNRs
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 01/02/2017 11:57 PM, Andy Lutomirski wrote:
> On Mon, Jan 2, 2017 at 8:53 AM, Tyler Hicks <tyhicks@canonical.com> wro=
te:
>> This patch set creates the basis for auditing information specific to =
a given
>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO retur=
n
>> actions. The audit messages for SECCOMP_RET_ERRNO return actions inclu=
de the
>> errno value that will be returned to userspace.
>>
>=20
> Not that I'm opposed to the idea, but what's the intended purpose?

Ubuntu has a security sandbox, which includes seccomp as a part of the
confinement strategy, that we're using to confine untrusted third-party
applications. Today, we're using SECCOMP_RET_KILL as the default action
when the applications make a call to a syscall that is not allowed by
the sandbox. It is great from a security perspective but not so great
from the perspective of the application developer as their application
(or in some cases, an interpretor) may work fine without the illegal
syscall but it doesn't get the chance to because it is killed.

In the near future, we want to switch over to using SECCOMP_RET_ERRNO
(the errno is still TBD) as the default action to improve the
application developer experience. The largest remaining blocker is that
there are no audit messages when a SECCOMP_RET_ERRNO action is taken.
Therefore, we can't suggest (to the application developer or to the
user) which sandbox knobs need to be turned to better suite their
application, we can't let the application developer know that a syscall
they're using is illegal outside of them having to debug an odd errno
value, and we can't let the user know of a potentially subverted process
that's under confinement of the sandbox. All of that could be addressed
if SECCOMP_RET_ERRNO actions generated audit messages.

I hope that helps to understand the use case.

Tyler



--US9BvvLPBvDTwsAaOiNAQEe1T5XeofNRs--

--F9sxxOPeNECrNS3kIi6maV9lE7Lh2tkmT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYa6zsAAoJENaSAD2qAscKtOEP/0Y5cZbL4mATimI5ZUdtCdj3
EJmpp3UIpTN5cbozJVDG8hVxDu8n2YEqc+G8cgNaliNiv8AXGrReuW4VMsUPWed2
ek/eV24SvbuyH+WPMqWm7fHZztcCTmdLsJjZ6PXRLz07X5BXO+e7GGiDEnUe9clN
gLJKfNGelRsqzIOodlhPwxO5g8dBwkzBXOEwam/YF83zPKgzDj9R21hgTUXYI9ZA
ByqdgNYGMzFA5vPFqUzNIHTPJVRsFlYljUrLsOPYOmalE37W6uGjKNQcc+v8m0Do
9sV0Itr5ZT+KhN/yk0ddb3OFDp1vcItx9lkIPRy8zW48zMc1VDU3ikj3SY6nVXA6
5LrthMWp64A8enDat5FnrYL082T2shOxa3ckkqhfuJEB2+ysTxdvbxY/1Gs7Jbob
06M/qt3zYh8SiYKjh+RmTNZdqDQPkPm+JmfZ+K4R47ctsXEs1SM3Fwkiuwu+7fZS
yMVd2kOZjwgoPpTTmt5zohTQJc1N4d5dq62wvof7bE+K61ghb1lJ9+cmXzH3TF/R
ydu+TgOztSz1tDCxLd+ngIH8zJ6lhNIHlNXr5+Z00ssplinQBrMM9XT5Q9PE3Pjp
mnJNft3S3wWJh6UI9Uvr3+FLJghhJUG4o4MV8ioHIHB3tPliYMyqmtJXTP/yivru
piVibr3w5zdgp1sYFZF4
=D9Cr
-----END PGP SIGNATURE-----

--F9sxxOPeNECrNS3kIi6maV9lE7Lh2tkmT--