From: Paul Moore <paul@paul-moore.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Tyler Hicks <tyhicks@canonical.com>,
Eric Paris <eparis@redhat.com>, Kees Cook <keescook@chromium.org>,
Will Drewry <wad@chromium.org>,
linux-audit@redhat.com,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions
Date: Tue, 3 Jan 2017 14:31:30 -0500 [thread overview]
Message-ID: <CAHC9VhTizdzTN6U_edocpMxVReTD2Vvm7JOM7oW=1ch4J_hUHg@mail.gmail.com> (raw)
In-Reply-To: <CALCETrViORew2PzXSPrCS+aqUnVTsatr85b05DPr9eG7RSGT+Q@mail.gmail.com>
On Tue, Jan 3, 2017 at 12:56 AM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Mon, Jan 2, 2017 at 2:47 PM, Paul Moore <paul@paul-moore.com> wrote:
>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhicks@canonical.com> wrote:
>>> This patch set creates the basis for auditing information specific to a given
>>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return
>>> actions. The audit messages for SECCOMP_RET_ERRNO return actions include the
>>> errno value that will be returned to userspace.
>>
>> I'm replying to this patchset posting because it his my inbox first,
>> but my comments here apply to both this patchset and the other
>> seccomp/audit patchset you posted.
>>
>> In my experience, we have two or three problems (the count varies
>> depending on perspective) when it comes to seccomp filter reporting:
>>
>> 1. Inability to log all filter actions.
>> 2. Inability to selectively enable filtering; e.g. devs want noisy
>> logging, users want relative quiet.
>> 3. Consistent behavior with audit enabled and disabled.
>>
>> My current thinking - forgive me, this has been kicking around in my
>> head for the better part of six months (longer?) and I haven't
>> attempted to code it up - is to create a sysctl knob for a system wide
>> seccomp logging threshold that would be applied to the high 16-bits of
>> *every* triggered action: if the action was at/below the threshold a
>> record would be emitted, otherwise silence. This should resolve
>> problems #1 and #2, and the code should be relatively straightforward
>> and small.
>>
>> As part of the code above, I expect that all seccomp logging would get
>> routed through a single logging function (sort of like a better
>> implementation of the existing audit_seccomp()) that would check the
>> threshold and trigger the logging if needed. This function could be
>> augmented to check for CONFIG_AUDIT and in the case where audit was
>> not built into the kernel, a simple printk could be used to log the
>> seccomp event; solving problem #3.
>
> Would this not be doable with a seccomp tracepoint and a BPF filter?
One of the motivations for the above idea is to make it easier for
admins/users to customize the seccomp logging on their own systems,
it's not just to make devs lives easier. I feel okay providing
guidance to an admin/user the involves setting a sysctl variable, I
can't say the same about asking them to write their own BPF ;)
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2017-01-03 19:31 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 16:53 [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Tyler Hicks
2017-01-02 16:53 ` [PATCH 1/2] seccomp: Allow for auditing functionality specific to " Tyler Hicks
2017-01-02 16:53 ` [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Tyler Hicks
2017-01-02 17:20 ` Steve Grubb
2017-01-02 17:20 ` Steve Grubb
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 17:42 ` Tyler Hicks
2017-01-02 18:49 ` Steve Grubb
2017-01-02 18:49 ` Steve Grubb
2017-01-02 22:55 ` Paul Moore
2017-01-02 22:47 ` [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Paul Moore
2017-01-03 5:56 ` Andy Lutomirski
2017-01-03 19:31 ` Paul Moore [this message]
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 13:31 ` Tyler Hicks
2017-01-03 19:42 ` Paul Moore
2017-01-03 19:42 ` Paul Moore
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:44 ` Kees Cook
2017-01-03 20:53 ` Steve Grubb
2017-01-03 20:54 ` Paul Moore
2017-01-03 20:54 ` Paul Moore
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:03 ` Kees Cook
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:13 ` Paul Moore
2017-01-03 21:21 ` Kees Cook
2017-01-03 21:31 ` Paul Moore
2017-01-03 21:44 ` Kees Cook
2017-01-03 21:44 ` Kees Cook
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 1:58 ` Tyler Hicks
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 4:43 ` Richard Guy Briggs
2017-01-04 6:31 ` Kees Cook
2017-01-04 2:04 ` Tyler Hicks
2017-01-03 5:57 ` Andy Lutomirski
2017-01-03 13:53 ` Tyler Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhTizdzTN6U_edocpMxVReTD2Vvm7JOM7oW=1ch4J_hUHg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=eparis@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=tyhicks@canonical.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.