From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S936104AbdACVcI (ORCPT <rfc822;w@1wt.eu>);
        Tue, 3 Jan 2017 16:32:08 -0500
Received: from mail-ua0-f175.google.com ([209.85.217.175]:35786 "EHLO
        mail-ua0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S936091AbdACVb5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Jan 2017 16:31:57 -0500
MIME-Version: 1.0
X-Originating-IP: [96.230.190.88]
In-Reply-To: <CAGXu5jK2MNHJf2uVo0UeWTDUMp=p6a9YXK3UAEnJ51pZnzF7Bg@mail.gmail.com>
References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com>
 <CAHC9VhSOwbY9WEOKZGsx4mf=MAXeudTnQF9nXmKu+OoAs0SDsQ@mail.gmail.com>
 <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> <CAHC9VhTzxCZAMWS+peTBV7ZssxUFeErngiSpZJ9AFe5wKC5rEA@mail.gmail.com>
 <CAGXu5jLJd+JufiKd3azXgg1C-7or50BP_ShNq6VzR67J2PQe7w@mail.gmail.com>
 <CAHC9VhTynMLhZzqMckJGhVpTVZNk7VRNpC3gEZvSHvbx9j9vAw@mail.gmail.com>
 <CAGXu5j+ZkOzJ4vkKzFtwa7+6AWvP3h+2zF39Fta9aM0T8zJMaQ@mail.gmail.com>
 <CAHC9VhR1M=LgYF0esbHKqQJnS7s8Wqj4UYRa14hyf_7HuJP5PA@mail.gmail.com> <CAGXu5jK2MNHJf2uVo0UeWTDUMp=p6a9YXK3UAEnJ51pZnzF7Bg@mail.gmail.com>
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 3 Jan 2017 16:31:55 -0500
Message-ID: <CAHC9VhS8MUE4nfNoKBU9khe3kc9QbN7vOY3aWFSNzU=GjZQsmA@mail.gmail.com>
Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions
To: Kees Cook <keescook@chromium.org>
Cc: Tyler Hicks <tyhicks@canonical.com>, Eric Paris <eparis@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
        linux-audit@redhat.com, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 3, 2017 at 4:21 PM, Kees Cook <keescook@chromium.org> wrote:
> On Tue, Jan 3, 2017 at 1:13 PM, Paul Moore <paul@paul-moore.com> wrote:
>> On Tue, Jan 3, 2017 at 4:03 PM, Kees Cook <keescook@chromium.org> wrote:
>>> On Tue, Jan 3, 2017 at 12:54 PM, Paul Moore <paul@paul-moore.com> wrote:
>>>> On Tue, Jan 3, 2017 at 3:44 PM, Kees Cook <keescook@chromium.org> wrote:
>>>>> I still wonder, though, isn't there a way to use auditctl to get all
>>>>> the seccomp messages you need?
>>>>
>>>> Not all of the seccomp actions are currently logged, that's one of the
>>>> problems (and the biggest at the moment).
>>>
>>> Well... sort of. It all gets passed around, but the logic isn't very
>>> obvious (or at least I always have to go look it up).
>>
>> Last time I checked SECCOMP_RET_ALLOW wasn't logged (as well as at
>> least one other action, but I can't remember which off the top of my
>> head)?
>
> Sure, but if you're using audit, you don't need RET_ALLOW to be logged
> because you'll get a full syscall log entry. Logging RET_ALLOW is
> redundant and provides no new information, it seems to me.

I only bring this up as it might be a way to help solve the
SECCOMP_RET_AUDIT problem that Tyler mentioned.

-- 
paul moore
www.paul-moore.com