On Wed, May 2, 2018 at 12:57 PM, Kees Cook wrote:
> On Wed, May 2, 2018 at 8:53 AM, Tyler Hicks wrote:
>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>> index da78835..9029d9d 100644
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
>> @@ -584,18 +584,13 @@ static inline void seccomp_log(u
On Wed, 2 May 2018, Tyler Hicks wrote:
> Break the read and write paths of the kernel.seccomp.actions_logged
> sysctl into separate functions to maintain readability. An upcoming
> change will need to audit writes, but not reads, of this sysctl which
> would introduce too many conditional code pat
On Wed, 2 May 2018, Tyler Hicks wrote:
> type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging
> actions=kill_process,kill_thread,errno,trace,log
> old-actions=kill_process,kill_thread,errno,trace,log res=1
>
> No audit records are generated when reading the actions_logged sysct
On Wed, 2 May 2018, Tyler Hicks wrote:
> The function that converts a bitmask of seccomp actions that are
> allowed to be logged is currently only used for constructing the display
> string for the kernel.seccomp.actions_logged sysctl. That string wants a
> space character to be used for the separ
On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote:
> The decision to log a seccomp action will always be subject to the
> value of the kernel.seccomp.actions_logged sysctl, even for processes
> that are being inspected via the audit subsystem, in an upcoming patch.
> Therefore, we need to
On Wed, May 2, 2018 at 8:53 AM, Tyler Hicks wrote:
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index da78835..9029d9d 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -584,18 +584,13 @@ static inline void seccomp_log(unsigned long syscall,
> long signr, u32 action,
>
On 05/01/2018 12:25 PM, Paul Moore wrote:
> On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote:
>> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote:
>>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote:
The decision to log a seccomp action will always be subject to the
value o
Seccomp logging for "handled" actions such as RET_TRAP, RET_TRACE, or
RET_ERRNO can be very noisy for processes that are being audited. This
patch modifies the seccomp logging behavior to treat processes that are
being inspected via the audit subsystem the same as processes that
aren't under inspec
The decision to log a seccomp action will always be subject to the
value of the kernel.seccomp.actions_logged sysctl, even for processes
that are being inspected via the audit subsystem, in an upcoming patch.
Therefore, we need to emit an audit record on attempts at writing to the
actions_logged sy
The function that converts a bitmask of seccomp actions that are
allowed to be logged is currently only used for constructing the display
string for the kernel.seccomp.actions_logged sysctl. That string wants a
space character to be used for the separator between actions.
A future patch will make
Break the read and write paths of the kernel.seccomp.actions_logged
sysctl into separate functions to maintain readability. An upcoming
change will need to audit writes, but not reads, of this sysctl which
would introduce too many conditional code paths on whether or not the
'write' parameter evalu
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
A
On Wed, May 2, 2018 at 3:00 AM, Ondrej Mosnacek wrote:
> 2018-05-01 22:06 GMT+02:00 Paul Moore :
>> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek wrote:
>>> This patch removes the restriction of the AUDIT_EXE field to only
>>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
2018-05-01 22:06 GMT+02:00 Paul Moore :
> On Wed, Apr 25, 2018 at 9:06 AM, Ondrej Mosnacek wrote:
>> This patch removes the restriction of the AUDIT_EXE field to only
>> SYSCALL filter and teaches audit_filter to recognize this field.
>>
>> This makes it possible to write rule lists such as:
>>
>>
14 matches
Mail list logo