Re: [PATCH v2 4/4] seccomp: Don't special case audited processes when logging

On Wed, May 2, 2018 at 12:57 PM, Kees Cook wrote: > On Wed, May 2, 2018 at 8:53 AM, Tyler Hicks wrote: >> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >> index da78835..9029d9d 100644 >> --- a/kernel/seccomp.c >> +++ b/kernel/seccomp.c >> @@ -584,18 +584,13 @@ static inline void seccomp_log(u

Re: [PATCH v2 1/4] seccomp: Separate read and write code for actions_logged sysctl

On Wed, 2 May 2018, Tyler Hicks wrote: > Break the read and write paths of the kernel.seccomp.actions_logged > sysctl into separate functions to maintain readability. An upcoming > change will need to audit writes, but not reads, of this sysctl which > would introduce too many conditional code pat

Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

On Wed, 2 May 2018, Tyler Hicks wrote: > type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging > actions=kill_process,kill_thread,errno,trace,log > old-actions=kill_process,kill_thread,errno,trace,log res=1 > > No audit records are generated when reading the actions_logged sysct

Re: [PATCH v2 2/4] seccomp: Configurable separator for the actions_logged string

On Wed, 2 May 2018, Tyler Hicks wrote: > The function that converts a bitmask of seccomp actions that are > allowed to be logged is currently only used for constructing the display > string for the kernel.seccomp.actions_logged sysctl. That string wants a > space character to be used for the separ

Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote: > The decision to log a seccomp action will always be subject to the > value of the kernel.seccomp.actions_logged sysctl, even for processes > that are being inspected via the audit subsystem, in an upcoming patch. > Therefore, we need to

Re: [PATCH v2 4/4] seccomp: Don't special case audited processes when logging

On Wed, May 2, 2018 at 8:53 AM, Tyler Hicks wrote: > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index da78835..9029d9d 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -584,18 +584,13 @@ static inline void seccomp_log(unsigned long syscall, > long signr, u32 action, >

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/01/2018 12:25 PM, Paul Moore wrote: > On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote: >> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: >>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: The decision to log a seccomp action will always be subject to the value o

[PATCH v2 4/4] seccomp: Don't special case audited processes when logging

Seccomp logging for "handled" actions such as RET_TRAP, RET_TRACE, or RET_ERRNO can be very noisy for processes that are being audited. This patch modifies the seccomp logging behavior to treat processes that are being inspected via the audit subsystem the same as processes that aren't under inspec

[PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

The decision to log a seccomp action will always be subject to the value of the kernel.seccomp.actions_logged sysctl, even for processes that are being inspected via the audit subsystem, in an upcoming patch. Therefore, we need to emit an audit record on attempts at writing to the actions_logged sy

[PATCH v2 2/4] seccomp: Configurable separator for the actions_logged string

The function that converts a bitmask of seccomp actions that are allowed to be logged is currently only used for constructing the display string for the kernel.seccomp.actions_logged sysctl. That string wants a space character to be used for the separator between actions. A future patch will make

[PATCH v2 1/4] seccomp: Separate read and write code for actions_logged sysctl

Break the read and write paths of the kernel.seccomp.actions_logged sysctl into separate functions to maintain readability. An upcoming change will need to audit writes, but not reads, of this sysctl which would introduce too many conditional code paths on whether or not the 'write' parameter evalu

[PATCH v2 0/4] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action. A

Re: [PATCH] audit: allow other filter list types for AUDIT_EXE

On Wed, May 2, 2018 at 3:00 AM, Ondrej Mosnacek wrote: > 2018-05-01 22:06 GMT+02:00 Paul Moore : >> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek wrote: >>> This patch removes the restriction of the AUDIT_EXE field to only >>> SYSCALL filter and teaches audit_filter to recognize this field. >>

Re: [PATCH] audit: allow other filter list types for AUDIT_EXE

2018-05-01 22:06 GMT+02:00 Paul Moore : > On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek wrote: >> This patch removes the restriction of the AUDIT_EXE field to only >> SYSCALL filter and teaches audit_filter to recognize this field. >> >> This makes it possible to write rule lists such as: >> >>