From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758183AbdACTbl (ORCPT ); Tue, 3 Jan 2017 14:31:41 -0500 Received: from mail-ua0-f195.google.com ([209.85.217.195]:36197 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752568AbdACTbc (ORCPT ); Tue, 3 Jan 2017 14:31:32 -0500 MIME-Version: 1.0 X-Originating-IP: [96.230.190.88] In-Reply-To: References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> From: Paul Moore Date: Tue, 3 Jan 2017 14:31:30 -0500 Message-ID: Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions To: Andy Lutomirski Cc: Tyler Hicks , Eric Paris , Kees Cook , Will Drewry , linux-audit@redhat.com, "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 3, 2017 at 12:56 AM, Andy Lutomirski wrote: > On Mon, Jan 2, 2017 at 2:47 PM, Paul Moore wrote: >> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks wrote: >>> This patch set creates the basis for auditing information specific to a given >>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return >>> actions. The audit messages for SECCOMP_RET_ERRNO return actions include the >>> errno value that will be returned to userspace. >> >> I'm replying to this patchset posting because it his my inbox first, >> but my comments here apply to both this patchset and the other >> seccomp/audit patchset you posted. >> >> In my experience, we have two or three problems (the count varies >> depending on perspective) when it comes to seccomp filter reporting: >> >> 1. Inability to log all filter actions. >> 2. Inability to selectively enable filtering; e.g. devs want noisy >> logging, users want relative quiet. >> 3. Consistent behavior with audit enabled and disabled. >> >> My current thinking - forgive me, this has been kicking around in my >> head for the better part of six months (longer?) and I haven't >> attempted to code it up - is to create a sysctl knob for a system wide >> seccomp logging threshold that would be applied to the high 16-bits of >> *every* triggered action: if the action was at/below the threshold a >> record would be emitted, otherwise silence. This should resolve >> problems #1 and #2, and the code should be relatively straightforward >> and small. >> >> As part of the code above, I expect that all seccomp logging would get >> routed through a single logging function (sort of like a better >> implementation of the existing audit_seccomp()) that would check the >> threshold and trigger the logging if needed. This function could be >> augmented to check for CONFIG_AUDIT and in the case where audit was >> not built into the kernel, a simple printk could be used to log the >> seccomp event; solving problem #3. > > Would this not be doable with a seccomp tracepoint and a BPF filter? One of the motivations for the above idea is to make it easier for admins/users to customize the seccomp logging on their own systems, it's not just to make devs lives easier. I feel okay providing guidance to an admin/user the involves setting a sysctl variable, I can't say the same about asking them to write their own BPF ;) -- paul moore www.paul-moore.com