From: Kees Cook <keescook@chromium.org> To: Paul Moore <paul@paul-moore.com> Cc: Tyler Hicks <tyhicks@canonical.com>, Eric Paris <eparis@redhat.com>, Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>, linux-audit@redhat.com, LKML <linux-kernel@vger.kernel.org> Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Date: Tue, 3 Jan 2017 12:44:41 -0800 [thread overview] Message-ID: <CAGXu5jLJd+JufiKd3azXgg1C-7or50BP_ShNq6VzR67J2PQe7w@mail.gmail.com> (raw) In-Reply-To: <CAHC9VhTzxCZAMWS+peTBV7ZssxUFeErngiSpZJ9AFe5wKC5rEA@mail.gmail.com> On Tue, Jan 3, 2017 at 11:42 AM, Paul Moore <paul@paul-moore.com> wrote: > On Tue, Jan 3, 2017 at 8:31 AM, Tyler Hicks <tyhicks@canonical.com> wrote: >> On 01/02/2017 04:47 PM, Paul Moore wrote: >>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhicks@canonical.com> wrote: >>>> This patch set creates the basis for auditing information specific to a given >>>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return >>>> actions. The audit messages for SECCOMP_RET_ERRNO return actions include the >>>> errno value that will be returned to userspace. >>> >>> I'm replying to this patchset posting because it his my inbox first, >>> but my comments here apply to both this patchset and the other >>> seccomp/audit patchset you posted. >>> >>> In my experience, we have two or three problems (the count varies >>> depending on perspective) when it comes to seccomp filter reporting: >>> >>> 1. Inability to log all filter actions. >>> 2. Inability to selectively enable filtering; e.g. devs want noisy >>> logging, users want relative quiet. >>> 3. Consistent behavior with audit enabled and disabled. >> >> Agreed. Those three logging issues are what have been nagging me the most. > > /me nods I think this sounds fine too. >>> My current thinking - forgive me, this has been kicking around in my >>> head for the better part of six months (longer?) and I haven't >>> attempted to code it up - is to create a sysctl knob for a system wide >>> seccomp logging threshold that would be applied to the high 16-bits of >>> *every* triggered action: if the action was at/below the threshold a >>> record would be emitted, otherwise silence. This should resolve >>> problems #1 and #2, and the code should be relatively straightforward >>> and small. >> >> I like that idea quite a bit. To be completely honest, for #1, I >> personally only care about logging SECCOMP_RET_ERRNO actions but this >> idea solves it in a nice and general way. > > Yeah, I'd much rather solve this problem generally; everybody has > their favorite action and I'd like to avoid solving the same problem > multiple times. > > Sooo ... you want to take a whack at coding this up? ;) > >>> As part of the code above, I expect that all seccomp logging would get >>> routed through a single logging function (sort of like a better >>> implementation of the existing audit_seccomp()) that would check the >>> threshold and trigger the logging if needed. This function could be >>> augmented to check for CONFIG_AUDIT and in the case where audit was >>> not built into the kernel, a simple printk could be used to log the >>> seccomp event; solving problem #3. >> >> That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we >> build with CONFIG_AUDIT enabled but don't ship auditd by default so >> audit_enabled is false. In that default configuration, we still want >> seccomp audit messages to be printk'ed. I'll need to figure out how to >> cleanly allow opting into seccomp audit messages when CONFIG_AUDIT is >> enabled and audit_enabled is false. > > Heh, so you've got audit built into the kernel but you're not using > it; that sounds "fun". > > Anyway, I think the logging consolidation could still help you, if for > no other reason than everything is going through the same function at > that point. We could do some other stuff there to handle the case > where audit is compiled, but auditd is not running ... we already have > some code in place to handle that for other reasons, check > kernel/audit.c for more information. I'd still work on the other > stuff first and then we can add this in at the end of the patchset. Yeah, I think the "should I report it?" threshold sysctl could just check if audit is enabled... I still wonder, though, isn't there a way to use auditctl to get all the seccomp messages you need? -Kees > >>> We could also add a SECCOMP_RET_AUDIT, or similar, if we still feel >>> that is important (I personally waffle on this), but I think that is >>> independent of the ideas above. >> >> I agree that it is independent but SECCOMP_RET_AUDIT would still be >> important to Ubuntu. >> >> Tyler > > -- > paul moore > www.paul-moore.com -- Kees Cook Nexus Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Paul Moore <paul@paul-moore.com> Cc: Will Drewry <wad@chromium.org>, LKML <linux-kernel@vger.kernel.org>, Andy Lutomirski <luto@amacapital.net>, linux-audit@redhat.com Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Date: Tue, 3 Jan 2017 12:44:41 -0800 [thread overview] Message-ID: <CAGXu5jLJd+JufiKd3azXgg1C-7or50BP_ShNq6VzR67J2PQe7w@mail.gmail.com> (raw) In-Reply-To: <CAHC9VhTzxCZAMWS+peTBV7ZssxUFeErngiSpZJ9AFe5wKC5rEA@mail.gmail.com> On Tue, Jan 3, 2017 at 11:42 AM, Paul Moore <paul@paul-moore.com> wrote: > On Tue, Jan 3, 2017 at 8:31 AM, Tyler Hicks <tyhicks@canonical.com> wrote: >> On 01/02/2017 04:47 PM, Paul Moore wrote: >>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhicks@canonical.com> wrote: >>>> This patch set creates the basis for auditing information specific to a given >>>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return >>>> actions. The audit messages for SECCOMP_RET_ERRNO return actions include the >>>> errno value that will be returned to userspace. >>> >>> I'm replying to this patchset posting because it his my inbox first, >>> but my comments here apply to both this patchset and the other >>> seccomp/audit patchset you posted. >>> >>> In my experience, we have two or three problems (the count varies >>> depending on perspective) when it comes to seccomp filter reporting: >>> >>> 1. Inability to log all filter actions. >>> 2. Inability to selectively enable filtering; e.g. devs want noisy >>> logging, users want relative quiet. >>> 3. Consistent behavior with audit enabled and disabled. >> >> Agreed. Those three logging issues are what have been nagging me the most. > > /me nods I think this sounds fine too. >>> My current thinking - forgive me, this has been kicking around in my >>> head for the better part of six months (longer?) and I haven't >>> attempted to code it up - is to create a sysctl knob for a system wide >>> seccomp logging threshold that would be applied to the high 16-bits of >>> *every* triggered action: if the action was at/below the threshold a >>> record would be emitted, otherwise silence. This should resolve >>> problems #1 and #2, and the code should be relatively straightforward >>> and small. >> >> I like that idea quite a bit. To be completely honest, for #1, I >> personally only care about logging SECCOMP_RET_ERRNO actions but this >> idea solves it in a nice and general way. > > Yeah, I'd much rather solve this problem generally; everybody has > their favorite action and I'd like to avoid solving the same problem > multiple times. > > Sooo ... you want to take a whack at coding this up? ;) > >>> As part of the code above, I expect that all seccomp logging would get >>> routed through a single logging function (sort of like a better >>> implementation of the existing audit_seccomp()) that would check the >>> threshold and trigger the logging if needed. This function could be >>> augmented to check for CONFIG_AUDIT and in the case where audit was >>> not built into the kernel, a simple printk could be used to log the >>> seccomp event; solving problem #3. >> >> That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we >> build with CONFIG_AUDIT enabled but don't ship auditd by default so >> audit_enabled is false. In that default configuration, we still want >> seccomp audit messages to be printk'ed. I'll need to figure out how to >> cleanly allow opting into seccomp audit messages when CONFIG_AUDIT is >> enabled and audit_enabled is false. > > Heh, so you've got audit built into the kernel but you're not using > it; that sounds "fun". > > Anyway, I think the logging consolidation could still help you, if for > no other reason than everything is going through the same function at > that point. We could do some other stuff there to handle the case > where audit is compiled, but auditd is not running ... we already have > some code in place to handle that for other reasons, check > kernel/audit.c for more information. I'd still work on the other > stuff first and then we can add this in at the end of the patchset. Yeah, I think the "should I report it?" threshold sysctl could just check if audit is enabled... I still wonder, though, isn't there a way to use auditctl to get all the seccomp messages you need? -Kees > >>> We could also add a SECCOMP_RET_AUDIT, or similar, if we still feel >>> that is important (I personally waffle on this), but I think that is >>> independent of the ideas above. >> >> I agree that it is independent but SECCOMP_RET_AUDIT would still be >> important to Ubuntu. >> >> Tyler > > -- > paul moore > www.paul-moore.com -- Kees Cook Nexus Security
next prev parent reply other threads:[~2017-01-03 20:45 UTC|newest] Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-01-02 16:53 [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Tyler Hicks 2017-01-02 16:53 ` [PATCH 1/2] seccomp: Allow for auditing functionality specific to " Tyler Hicks 2017-01-02 16:53 ` [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Tyler Hicks 2017-01-02 17:20 ` Steve Grubb 2017-01-02 17:20 ` Steve Grubb 2017-01-02 17:42 ` Tyler Hicks 2017-01-02 17:42 ` Tyler Hicks 2017-01-02 18:49 ` Steve Grubb 2017-01-02 18:49 ` Steve Grubb 2017-01-02 22:55 ` Paul Moore 2017-01-02 22:47 ` [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Paul Moore 2017-01-03 5:56 ` Andy Lutomirski 2017-01-03 19:31 ` Paul Moore 2017-01-03 13:31 ` Tyler Hicks 2017-01-03 13:31 ` Tyler Hicks 2017-01-03 19:42 ` Paul Moore 2017-01-03 19:42 ` Paul Moore 2017-01-03 20:44 ` Kees Cook [this message] 2017-01-03 20:44 ` Kees Cook 2017-01-03 20:53 ` Steve Grubb 2017-01-03 20:54 ` Paul Moore 2017-01-03 20:54 ` Paul Moore 2017-01-03 21:03 ` Kees Cook 2017-01-03 21:03 ` Kees Cook 2017-01-03 21:13 ` Paul Moore 2017-01-03 21:13 ` Paul Moore 2017-01-03 21:21 ` Kees Cook 2017-01-03 21:31 ` Paul Moore 2017-01-03 21:44 ` Kees Cook 2017-01-03 21:44 ` Kees Cook 2017-01-04 1:58 ` Tyler Hicks 2017-01-04 1:58 ` Tyler Hicks 2017-01-04 4:43 ` Richard Guy Briggs 2017-01-04 4:43 ` Richard Guy Briggs 2017-01-04 6:31 ` Kees Cook 2017-01-04 2:04 ` Tyler Hicks 2017-01-03 5:57 ` Andy Lutomirski 2017-01-03 13:53 ` Tyler Hicks
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAGXu5jLJd+JufiKd3azXgg1C-7or50BP_ShNq6VzR67J2PQe7w@mail.gmail.com \ --to=keescook@chromium.org \ --cc=eparis@redhat.com \ --cc=linux-audit@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=paul@paul-moore.com \ --cc=tyhicks@canonical.com \ --cc=wad@chromium.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.