From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: Limiting SECCOMP audit events Date: Thu, 14 Dec 2017 15:16:18 -0800 Message-ID: References: <58203247.sCqcla2mis@x2> <36cd827f-201c-8f76-2883-ecd930cbb1f4@canonical.com> <3499769.OM7YpPIT3e@x2> <20171214230629.GA451@sec> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 25F255C549 for ; Thu, 14 Dec 2017 23:16:22 +0000 (UTC) Received: from mail-vk0-f66.google.com (mail-vk0-f66.google.com [209.85.213.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DA3BAC033476 for ; Thu, 14 Dec 2017 23:16:20 +0000 (UTC) Received: by mail-vk0-f66.google.com with SMTP id x140so4581546vke.4 for ; Thu, 14 Dec 2017 15:16:20 -0800 (PST) In-Reply-To: <20171214230629.GA451@sec> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tyler Hicks Cc: Linux Audit List-Id: linux-audit@redhat.com On Thu, Dec 14, 2017 at 3:06 PM, Tyler Hicks wrote: > The reason is because I didn't get clear direction from the audit > folks about to do when audit is enabled and the process is being audited > and, therefore, I didn't feel comfortable rocking the boat. In that > situation, the decision to log is the same as it was in earlier kernels. > Specifically, you're hitting the last "else if" conditional in the > pseudocode above. Yeah, same for me: it's been entirely unclear what the desired combination of audit vs seccomp should be. It seems like it should be reporting everything when auditing a specific process, and then ... something else? ... in the global context. > If you're happy with having the actions_logged sysctl control whether or > not to log seccomp actions taken for processes that are being audited, > then I think the following (untested) patch should do exactly what you > want. I imagine that you'd also want seccomp to emit audit events > whenever the value of the actions_logged sysctl is changed, which should > be pretty easy to do. > > I hope this helps! > > Tyler > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index af410d9..095b5dd 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -304,12 +304,6 @@ static inline void audit_inode_child(struct inode *parent, > } > void audit_core_dumps(long signr); > > -static inline void audit_seccomp(unsigned long syscall, long signr, int code) > -{ > - if (audit_enabled && unlikely(!audit_dummy_context())) > - __audit_seccomp(syscall, signr, code); > -} > - > static inline void audit_ptrace(struct task_struct *t) > { > if (unlikely(!audit_dummy_context())) > @@ -502,8 +496,6 @@ static inline void audit_core_dumps(long signr) > { } > static inline void __audit_seccomp(unsigned long syscall, long signr, int code) > { } > -static inline void audit_seccomp(unsigned long syscall, long signr, int code) > -{ } > static inline int auditsc_get_stamp(struct audit_context *ctx, > struct timespec64 *t, unsigned int *serial) > { > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 5f0dfb2ab..914a707 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -590,12 +590,6 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action, > */ > if (log) > return __audit_seccomp(syscall, signr, action); > - > - /* > - * Let the audit subsystem decide if the action should be audited based > - * on whether the current task itself is being audited. > - */ > - return audit_seccomp(syscall, signr, action); > } > > /* If audit folks are happy with this, I am too. :) -Kees -- Kees Cook Pixel Security