[PATCH 1/2] seccomp: Create an action to audit before allowing

Mon, 02 Jan 2017 09:29:21 -0800 

Add a new action, SECCOMP_RET_AUDIT, which is identical to
SECCOMP_RET_ALLOW with the exception that an audit message is logged
rather than quietly allowing the syscall.

This can be very useful when initially developing a seccomp filter for
an application because the list of syscalls needed, which aren't marked
for SECCOMP_RET_ALLOW, can be easily lifted from the audit log reports
after exercising the application. This provides a more friendly
experience than seeing the application get killed, then updating the
filter and rebuilding the app, seeing the application get killed due to
a different syscall, then updating the filter and rebuilding the app,
etc.

SECCOMP_RET_AUDIT is considered to be slightly more restrictive than
SECCOMP_RET_ALLOW. The reason is because 'audit before allowing' is more
restrictive than 'silently allowing'.

Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
 Documentation/prctl/seccomp_filter.txt | 4 ++++
 include/uapi/linux/seccomp.h           | 1 +
 kernel/seccomp.c                       | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/Documentation/prctl/seccomp_filter.txt 
b/Documentation/prctl/seccomp_filter.txt
index 1e469ef..61169d3 100644
--- a/Documentation/prctl/seccomp_filter.txt
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -138,6 +138,10 @@ SECCOMP_RET_TRACE:
        allow use of ptrace, even of other sandboxed processes, without
        extreme care; ptracers can use this mechanism to escape.)
 
+SECCOMP_RET_AUDIT:
+       Results in the system call being executed after an audit log record is
+       emitted.
+
 SECCOMP_RET_ALLOW:
        Results in the system call being executed.
 
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index 0f238a4..551f099 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -29,6 +29,7 @@
 #define SECCOMP_RET_TRAP       0x00030000U /* disallow and force a SIGSYS */
 #define SECCOMP_RET_ERRNO      0x00050000U /* returns an errno */
 #define SECCOMP_RET_TRACE      0x7ff00000U /* pass to a tracer or disallow */
+#define SECCOMP_RET_AUDIT      0x7ffe0000U /* allow with an audit message */
 #define SECCOMP_RET_ALLOW      0x7fff0000U /* allow */
 
 /* Masks for the return value sections. */
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index e99c566..2c0ed54 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -632,6 +632,10 @@ static int __seccomp_filter(int this_syscall, const struct 
seccomp_data *sd,
 
                return 0;
 
+       case SECCOMP_RET_AUDIT:
+               audit_seccomp_common(this_syscall, action);
+               return 0;
+
        case SECCOMP_RET_ALLOW:
                return 0;
 
-- 
2.7.4

Reply via email to