From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761336AbdACVB5 (ORCPT ); Tue, 3 Jan 2017 16:01:57 -0500 Received: from mail-ua0-f196.google.com ([209.85.217.196]:33636 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756640AbdACVBZ (ORCPT ); Tue, 3 Jan 2017 16:01:25 -0500 MIME-Version: 1.0 X-Originating-IP: [96.230.190.88] In-Reply-To: References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> From: Paul Moore Date: Tue, 3 Jan 2017 15:54:25 -0500 Message-ID: Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions To: Kees Cook Cc: Tyler Hicks , Eric Paris , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 3, 2017 at 3:44 PM, Kees Cook wrote: > I still wonder, though, isn't there a way to use auditctl to get all > the seccomp messages you need? Not all of the seccomp actions are currently logged, that's one of the problems (and the biggest at the moment). -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions Date: Tue, 3 Jan 2017 15:54:25 -0500 Message-ID: References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v03KsSK9004404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 3 Jan 2017 15:54:28 -0500 Received: from mail-ua0-f193.google.com (mail-ua0-f193.google.com [209.85.217.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EB5796826 for ; Tue, 3 Jan 2017 20:54:27 +0000 (UTC) Received: by mail-ua0-f193.google.com with SMTP id 2so268981uax.3 for ; Tue, 03 Jan 2017 12:54:26 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kees Cook Cc: Will Drewry , LKML , Andy Lutomirski , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, Jan 3, 2017 at 3:44 PM, Kees Cook wrote: > I still wonder, though, isn't there a way to use auditctl to get all > the seccomp messages you need? Not all of the seccomp actions are currently logged, that's one of the problems (and the biggest at the moment). -- paul moore www.paul-moore.com