From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1762573AbdADCEt (ORCPT ); Tue, 3 Jan 2017 21:04:49 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:49282 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753155AbdADCEl (ORCPT ); Tue, 3 Jan 2017 21:04:41 -0500 Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions To: Paul Moore References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> Cc: Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, linux-kernel@vger.kernel.org From: Tyler Hicks Message-ID: Date: Wed, 4 Jan 2017 09:04:28 +0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="BbrD06xFs3NsExm1DCJKT6GUpODjq1XHd" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BbrD06xFs3NsExm1DCJKT6GUpODjq1XHd Content-Type: multipart/mixed; boundary="RmuWv8CedobvlJl7Ma0gPcTrQis2vgwR4"; protected-headers="v1" From: Tyler Hicks To: Paul Moore Cc: Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-audit@redhat.com, linux-kernel@vger.kernel.org Message-ID: Subject: Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <8748cee7-efe3-a603-ef2e-dc9077b6ead4@canonical.com> In-Reply-To: --RmuWv8CedobvlJl7Ma0gPcTrQis2vgwR4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/04/2017 02:42 AM, Paul Moore wrote: > On Tue, Jan 3, 2017 at 8:31 AM, Tyler Hicks wro= te: >> On 01/02/2017 04:47 PM, Paul Moore wrote: >>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks = wrote: >>>> This patch set creates the basis for auditing information specific t= o a given >>>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO ret= urn >>>> actions. The audit messages for SECCOMP_RET_ERRNO return actions inc= lude the >>>> errno value that will be returned to userspace. >>> >>> I'm replying to this patchset posting because it his my inbox first, >>> but my comments here apply to both this patchset and the other >>> seccomp/audit patchset you posted. >>> >>> In my experience, we have two or three problems (the count varies >>> depending on perspective) when it comes to seccomp filter reporting: >>> >>> 1. Inability to log all filter actions. >>> 2. Inability to selectively enable filtering; e.g. devs want noisy >>> logging, users want relative quiet. >>> 3. Consistent behavior with audit enabled and disabled. >> >> Agreed. Those three logging issues are what have been nagging me the m= ost. >=20 > /me nods >=20 >>> My current thinking - forgive me, this has been kicking around in my >>> head for the better part of six months (longer?) and I haven't >>> attempted to code it up - is to create a sysctl knob for a system wid= e >>> seccomp logging threshold that would be applied to the high 16-bits o= f >>> *every* triggered action: if the action was at/below the threshold a >>> record would be emitted, otherwise silence. This should resolve >>> problems #1 and #2, and the code should be relatively straightforward= >>> and small. >> >> I like that idea quite a bit. To be completely honest, for #1, I >> personally only care about logging SECCOMP_RET_ERRNO actions but this >> idea solves it in a nice and general way. >=20 > Yeah, I'd much rather solve this problem generally; everybody has > their favorite action and I'd like to avoid solving the same problem > multiple times. >=20 > Sooo ... you want to take a whack at coding this up? ;) Yes, I can do that. >=20 >>> As part of the code above, I expect that all seccomp logging would ge= t >>> routed through a single logging function (sort of like a better >>> implementation of the existing audit_seccomp()) that would check the >>> threshold and trigger the logging if needed. This function could be >>> augmented to check for CONFIG_AUDIT and in the case where audit was >>> not built into the kernel, a simple printk could be used to log the >>> seccomp event; solving problem #3. >> >> That doesn't fully solve #3 for me. In Ubuntu (and I think Debian), we= >> build with CONFIG_AUDIT enabled but don't ship auditd by default so >> audit_enabled is false. In that default configuration, we still want >> seccomp audit messages to be printk'ed. I'll need to figure out how to= >> cleanly allow opting into seccomp audit messages when CONFIG_AUDIT is >> enabled and audit_enabled is false. >=20 > Heh, so you've got audit built into the kernel but you're not using > it; that sounds "fun". Users that need full auditing functionality can simply install auditd but most users don't require it. Ubuntu has done it this way for many years and the lack of seccomp auditing when auditd isn't running has been the only problem that I can remember. > Anyway, I think the logging consolidation could still help you, if for > no other reason than everything is going through the same function at > that point. We could do some other stuff there to handle the case > where audit is compiled, but auditd is not running ... we already have > some code in place to handle that for other reasons, check > kernel/audit.c for more information. I'd still work on the other > stuff first and then we can add this in at the end of the patchset. /me nods. It is easy to continue to distro patch out the recently added check for audit_enabled until a better solution for all distros can be identified/upstreamed. Thanks again! Tyler >=20 >>> We could also add a SECCOMP_RET_AUDIT, or similar, if we still feel >>> that is important (I personally waffle on this), but I think that is >>> independent of the ideas above. >> >> I agree that it is independent but SECCOMP_RET_AUDIT would still be >> important to Ubuntu. >> >> Tyler >=20 --RmuWv8CedobvlJl7Ma0gPcTrQis2vgwR4-- --BbrD06xFs3NsExm1DCJKT6GUpODjq1XHd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYbFgsAAoJENaSAD2qAscKXhwQAJ6GjO07u6RLwTb9he6jjQ8c eHlsYtezWi2gdQ/8x5khrL2qTZEpxVOHCyDPC4DsvS98zXdhGn3TI77fq984JkHo BRwe0aj6l5FoWEmDFmtYLRBj7fOrSFW86BFuxRwsciETw5oFSnNUGKSnVTC9Cghj vliGl72lbgNaam4gveVsvULSqjYV0ixyOnuQ5/yxsqkNiUweCvR0G5pKPkkfHg70 XRR7AbVoIoBDAKmqfm1e3XbuRtYcVil2mR7jaOtJbuFYVQBWivxmdMZbFiVq/U2u 3QCpzkSx11jDVDLSBV3i4lQcvgCxQ/4SxT/io8BTs8NIcx2uLT1uE7qPdUH42/K0 9DJINihVw9trGmVJtLV56ECLsQBNMg31gZGI+xlHaOcnIyFoTV+JlCtkJkLV4W8c i7RUDavunEyx3CXg+dMVxwxGcofEsEhnmU41Xp3MrVQK3hc2NtC4pAG4c6C3lTDg aPWOVRCqWd3ipusMbzVSHY90y9LXsTwLuyL+egLx3D2o7OS5WsFbdTlyEytYENmz JG2NfALMTTzTFRRqyb+nf0fJw0ds7UOur19A/tXZ+k1eCwv9XtvGJZn7teDkKQbT CgmdTa9MkCLNlog4oHoMFKQ5uKW36jSfi0861izzvGsSEZZtq48lNaGFnaKagmX4 NFFrLVIXJOHwgZCiWsrp =rKYp -----END PGP SIGNATURE----- --BbrD06xFs3NsExm1DCJKT6GUpODjq1XHd--