From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761418AbdACVVT (ORCPT ); Tue, 3 Jan 2017 16:21:19 -0500 Received: from mail-io0-f182.google.com ([209.85.223.182]:33014 "EHLO mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761368AbdACVVL (ORCPT ); Tue, 3 Jan 2017 16:21:11 -0500 MIME-Version: 1.0 In-Reply-To: References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> From: Kees Cook Date: Tue, 3 Jan 2017 13:21:09 -0800 X-Google-Sender-Auth: GgTTSb-ewFZqmDE645eMGmMTcG8 Message-ID: Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions To: Paul Moore Cc: Tyler Hicks , Eric Paris , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 3, 2017 at 1:13 PM, Paul Moore wrote: > On Tue, Jan 3, 2017 at 4:03 PM, Kees Cook wrote: >> On Tue, Jan 3, 2017 at 12:54 PM, Paul Moore wrote: >>> On Tue, Jan 3, 2017 at 3:44 PM, Kees Cook wrote: >>>> I still wonder, though, isn't there a way to use auditctl to get all >>>> the seccomp messages you need? >>> >>> Not all of the seccomp actions are currently logged, that's one of the >>> problems (and the biggest at the moment). >> >> Well... sort of. It all gets passed around, but the logic isn't very >> obvious (or at least I always have to go look it up). > > Last time I checked SECCOMP_RET_ALLOW wasn't logged (as well as at > least one other action, but I can't remember which off the top of my > head)? Sure, but if you're using audit, you don't need RET_ALLOW to be logged because you'll get a full syscall log entry. Logging RET_ALLOW is redundant and provides no new information, it seems to me. -Kees -- Kees Cook Nexus Security