On 2022-06-08 12:01:19, Deven Bowers wrote:
> +/**
> + * getaudit: Read handler for the securityfs node, "ipe/success_audit"
> + * @f: Supplies a file structure representing the securityfs node.
> + * @data: Supplies a buffer passed to the read syscall
> + * @len: Supplies the length of @data
> +
On 2020-06-29 17:30:03, Mimi Zohar wrote:
> [Cc'ing the audit mailing list]
>
> On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index ff2bf57ff0c7..5d62ee8319f4 100644
>
Grubb <sgr...@redhat.com>
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/userspace-api/seccomp_filter.rst | 7 ---
include/linux/audit.h | 10 +-
kernel/auditsc.c | 14 ++
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
evaluates to true.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 60 +++-
1 file changed, 38 insertions(+), 22 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index dc77548..f4afe67 100644
--- a/
reading the actions_logged sysctl.
Suggested-by: Steve Grubb <sgr...@redhat.com>
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/audit.h | 5 +
kernel/auditsc.c | 20 ++
kernel/seccomp.c | 58 ++
.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f4afe67..b36ac1e 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1135,10 +1135,11 @@ static
On 05/03/2018 04:12 PM, Steve Grubb wrote:
> On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote:
>> On 05/03/2018 03:48 PM, Paul Moore wrote:
>>> On Thu, May 3, 2018 at 4:42 PM, Steve Grubb <sgr...@redhat.com> wrote:
>>>> On Thursday, May 3,
On 05/01/2018 12:25 PM, Paul Moore wrote:
> On Tue, May 1, 2018 at 12:41 PM, Steve Grubb <sgr...@redhat.com> wrote:
>> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote:
>>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>>
Grubb <sgr...@redhat.com>
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/userspace-api/seccomp_filter.rst | 7 ---
include/linux/audit.h | 10 +-
kernel/auditsc.c | 14 ++
s,kill_thread,errno,trace,log res=1
No audit records are generated when reading the actions_logged sysctl.
Suggested-by: Steve Grubb <sgr...@redhat.com>
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/audit.h | 5 +
kernel/auditsc.c | 25
.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f4afe67..b36ac1e 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1135,10 +1135,11 @@ static
evaluates to true.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 60 +++-
1 file changed, 38 insertions(+), 22 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index dc77548..f4afe67 100644
--- a/
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
in the same
value as the previous example for the actions field:
type=CONFIG_CHANGE msg=audit(1524601204.365:152): pid=1704 uid=0
auid=1000 tty=pts8 ses=1 comm="tee" exe="/usr/bin/tee"
op=seccomp-logging actions="kill_process kill_thread errno trace log"
res=0
Grubb <sgr...@redhat.com>
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/userspace-api/seccomp_filter.rst | 7 ---
include/linux/audit.h | 10 +-
kernel/auditsc.c | 2 +-
kernel/seccomp.c
evaluates to true.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 60 +++-
1 file changed, 38 insertions(+), 22 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index dc77548..f4afe67 100644
--- a/
>> On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
>>> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>>> On 01/02/2018 02:03 PM, Steve Grubb wrote:
>>>>> Hello,
>>>>>
>>>>>
:02:19 AM EST Steve Grubb wrote:
>> On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote:
>>> On 12/14/2017 09:19 AM, Steve Grubb wrote:
>>>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>>>>> On 12/13/2017 05:58 PM, Steve Gr
On 12/15/2017 08:08 AM, Paul Moore wrote:
> On December 14, 2017 6:06:49 PM Tyler Hicks <tyhi...@canonical.com> wrote:
>
>> On 12/14/2017 09:19 AM, Steve Grubb wrote:
>>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>>>
>>&g
On 12/14/2017 09:19 AM, Steve Grubb wrote:
> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote:
>
>> On 12/13/2017 05:58 PM, Steve Grubb wrote:
>
>> > Over the last month, the amount of seccomp events in audit logs is
>
>> > sky-rocketing. I ha
On 12/13/2017 05:58 PM, Steve Grubb wrote:
> Hello,
>
>
>
> Over the last month, the amount of seccomp events in audit logs is
> sky-rocketing. I have over a million events in the last 2 days. Most of
> this is generated by firefox and qt webkit.
>
>
>
> I am wondering if the audit package
On 12/06/2017 12:47 PM, Casey Schaufler wrote:
> On 12/6/2017 9:51 AM, Tyler Hicks wrote:
>> Hello - The AppArmor project would like for AppArmor audit records to be
>> supported by the audit-userspace tools, such as ausearch, but it
>> requires some coordination between the
Hello - The AppArmor project would like for AppArmor audit records to be
supported by the audit-userspace tools, such as ausearch, but it
requires some coordination between the linux-security-module and
linux-audit lists. This was raised as a feature request years ago in
Ubuntu and more recently
On 08/11/2017 02:17 PM, Kees Cook wrote:
> On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int
>> write,
>> + void _
== RET_KILL && RET_KILL in actions_logged:
log
else if action == RET_LOG && RET_LOG in actions_logged:
log
else if filter-requests-logging && action in actions_logged:
log
else if audit_enabled && process-is-being-audited:
log
else:
do not log
that the flag is invalid.
This patch adds a selftest that can be used to test this method of
detection in userspace.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 59 +++
1 file changed, 59 insertions(+)
diff
re
exactly what seccomp logs through the audit subsystem. Support for this
level of logging configuration will come in a future patch.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/sysctl/kernel.txt| 1 +
Documentation/userspace-api/seccomp
This patch set aims to improve logging in seccomp by:
1) Empowering administrators to be able to permit or quiet logging of
specific seccomp actions
2) Allowing applications to request logging of all actions, except for
RET_ALLOW, in the filter being loaded (subject to the
log
else if filter-requests-logging && action in actions_logged:
log
else if audit_enabled && process-is-being-audited:
log
else:
do not log
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/seccomp.h | 3 +-
include/uapi/linux/s
this new operation, -1 is returned with errno set to -EINVAL meaning
that userspace code will have the ability to differentiate between the
two error cases.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Suggested-by: Andy Lutomirski <l...@amacapital.net>
---
include/uapi/lin
ns_logged:
log
else if audit_enabled && task-is-being-audited:
log
else:
do not log
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/userspace-api/seccomp_filter.rst | 18 +++
include/linux/audit.h | 6 +-
On 08/04/2017 05:24 PM, Tyler Hicks wrote:
> On 08/03/2017 11:33 AM, Kees Cook wrote:
>> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>> Adminstrators can write to this sysctl to set the seccomp actions that
>>> are allowed to
On 2017-08-04 17:24:00, Tyler Hicks wrote:
> On 08/03/2017 11:33 AM, Kees Cook wrote:
> > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
> >> Adminstrators can write to this sysctl to set the seccomp actions that
> >> are allowed to
On 08/03/2017 11:58 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Userspace needs to be able to reliably detect the support of a filter
>> flag. A good way of doing that is by attempting to enter filter mode,
&
On 08/03/2017 11:56 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing
>> the syscall. At the implementation level, this action is identic
On 08/03/2017 11:51 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Add a new filter flag, SECCOMP_FILTER_FLAG_LOG, that enables logging for
>> all actions except for SECCOMP_RET_ALLOW for the given filter.
>>
On 08/03/2017 11:54 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Userspace code that needs to check if the kernel supports a given action
>> may not be able to use the /proc/sys/kernel/seccomp/actions_avail
>&
On 08/03/2017 11:33 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Adminstrators can write to this sysctl to set the seccomp actions that
>> are allowed to be logged. Any actions not found in this sysctl
On 08/03/2017 11:37 AM, Kees Cook wrote:
> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch creates a read-only sysctl containing an ordered list of
>> seccomp actions that the kernel supports. The ordering, from left to
>> right,
byte hole
(unavoidable) and consumes one of those bytes.
Unfortunately, the tests added for SECCOMP_FILTER_FLAG_LOG are not
capable of inspecting the audit log to verify that the actions taken in
the filter were logged.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
*
that the flag is invalid.
This patch adds a selftest that can be used to test this method of
detection in userspace.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
* Changes since v4:
- This is a new patch
tools/testing/selftests/seccomp/seccomp_bpf.c | 58
restrictive than quietly allowing.
Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of
inspecting the audit log to verify that the syscall was logged.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
* Change since v4:
- folded the previously separate selftest
ing audited, meaning that an audit context has been
allocated for the task, seccomp will log all actions other than
SECCOMP_RET_ALLOW despite the value of actions_logged. This exception
preserves the existing auditing behavior of tasks with an allocated
audit context.
Signed-off-by: Tyler Hicks &l
re
exactly what seccomp logs through the audit subsystem. Support for this
level of logging configuration will come in a future patch.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
* Changes since v4:
- move device_initcall() into CONFIG_SYSCTL ifdef
- mark the seccomp_acti
On 04/27/2017 07:42 PM, Kees Cook wrote:
> On Thu, Apr 27, 2017 at 3:17 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Quick update... I finished the move from the high-water mark
>> log_max_action sysctl to the bitmask based actions_logged sysctl.
>
> Awesome!
>
On 04/10/2017 10:59 PM, Kees Cook wrote:
> On Fri, Apr 7, 2017 at 4:46 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 04/07/2017 05:46 PM, Kees Cook wrote:
>>> Does the app-controlled bitmask apply to the filter, the process, the
>>> process tree, or some
On 04/10/2017 10:57 AM, Andy Lutomirski wrote:
> On Fri, Apr 7, 2017 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 02/22/2017 12:46 PM, Kees Cook wrote:
>>> On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote:
>>>
On 04/07/2017 05:46 PM, Kees Cook wrote:
> On Fri, Apr 7, 2017 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 02/22/2017 12:46 PM, Kees Cook wrote:
>>> On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote:
>>>> On Wed, F
On 02/22/2017 12:46 PM, Kees Cook wrote:
> On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote:
>> On Wed, Feb 15, 2017 at 7:24 PM, Andy Lutomirski <l...@amacapital.net> wrote:
>>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonica
On 02/16/2017 12:40 PM, Tyler Hicks wrote:
> On 02/15/2017 07:10 PM, Kees Cook wrote:
>> On Mon, Feb 13, 2017 at 7:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>>> index e36dfe9..270a227 100644
>>&g
On 02/16/2017 01:01 PM, Andy Lutomirski wrote:
> On Thu, Feb 16, 2017 at 10:47 AM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 02/15/2017 09:14 PM, Andy Lutomirski wrote:
>>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>>
On 02/15/2017 09:24 PM, Andy Lutomirski wrote:
> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch set is the third revision of the following two previously
>> submitted patch sets:
>>
>> v1:
>> http://lkml.kernel.
On 02/15/2017 09:14 PM, Andy Lutomirski wrote:
> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch creates a read-only sysctl containing an ordered list of
>> seccomp actions that the kernel supports. The ordering, from left to
>>
On 02/15/2017 07:00 PM, Kees Cook wrote:
> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch creates a read-only sysctl containing an ordered list of
>> seccomp actions that the kernel supports. The ordering, from left to
>> right,
On 02/15/2017 07:10 PM, Kees Cook wrote:
> On Mon, Feb 13, 2017 at 7:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
>> index e36dfe9..270a227 100644
>> --- a/kernel/seccomp.c
>> +++ b/kernel/seccomp.c
&g
tl
- Patch 3
+ Put some space between RET_LOG and RET_ALLOW for future actions
+ Separate the RET_ALLOW and RET_LOG cases in __seccomp_filter()
- Patch 4
+ Adjust the selftests for the updated RET_LOG value
Tyler
Tyler Hicks (4):
seccomp: Add sysctl to display available actions
se
r of tasks with an allocated
audit context.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 21 ++
include/linux/audit.h | 6 +-
kernel/seccomp.c | 123 -
3 files changed
be written to the max_action_to_log sysctl in order to get a
list of logged actions without the, potentially larger, set of allowed
actions.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 6 ++
include/uapi/linux/seccomp.h | 1 +
Extend the kernel selftests for seccomp to test the newly added
SECCOMP_RET_LOG action. The added tests follow the example of existing
tests.
Unfortunately, the tests are not capable of inspecting the audit log to
verify that the syscall was logged.
Signed-off-by: Tyler Hicks <t
re
exactly what seccomp logs through the audit subsystem. Support for this
level of logging configuration will come in a future patch.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 16 ++
Documentation/sysctl/kernel.txt| 1 +
r of tasks with an allocated
audit context.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 21 ++
include/linux/audit.h | 6 +-
kernel/seccomp.c | 123 -
3 files changed
Extend the kernel selftests for seccomp to test the newly added
SECCOMP_RET_LOG action. The added tests follow the example of existing
tests.
Unfortunately, the tests are not capable of inspecting the audit log to
verify that the syscall was logged.
Signed-off-by: Tyler Hicks <t
be written to the max_action_to_log sysctl in order to get a
list of logged actions without the, potentially larger, set of allowed
actions.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 6 ++
include/uapi/linux/seccomp.h | 1 +
On 02/07/2017 06:43 PM, Kees Cook wrote:
> On Tue, Feb 7, 2017 at 4:25 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 02/07/2017 06:03 PM, Kees Cook wrote:
>>> On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>>> This p
On 02/10/2017 06:08 PM, Kees Cook wrote:
> On Fri, Feb 10, 2017 at 4:01 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 02/07/2017 06:33 PM, Kees Cook wrote:
>>> This adds to UAPI, so it'd be good to think for a moment about how
>>> this would work on old
On 02/07/2017 06:33 PM, Kees Cook wrote:
> On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing
>> the syscall. At the implementation level, this action is identical to
>> the
On 02/07/2017 06:24 PM, Kees Cook wrote:
> On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> Administrators can write to this sysctl to set the maximum seccomp
>> action that should be logged. Any actions with values greater than
>> w
On 02/07/2017 06:03 PM, Kees Cook wrote:
> On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch creates a read-only sysctl containing an ordered list of
>> seccomp actions that the kernel supports. The ordering, from left to
>> right,
Extend the kernel selftests for seccomp to test the newly added
SECCOMP_RET_LOG action. The added tests follow the example of existing
tests.
Unfortunately, the tests are not capable of inspecting the audit log to
verify that the syscall was logged.
Signed-off-by: Tyler Hicks <t
r of tasks with an allocated
audit context.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/audit.h | 6 +--
kernel/seccomp.c | 114 --
2 files changed, 112 insertions(+), 8 deletions(-)
diff --git a/include/linux/a
This patch set is the second revision of the following two previously
submitted patch sets:
http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhi...@canonical.com
http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhi...@canonical.com
The patch set aims to address some known
be written to the max_action_to_log sysctl in order to get a
list of logged actions without the, potentially larger, set of allowed
actions.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
Documentation/prctl/seccomp_filter.txt | 6 ++
include/uapi/linux/seccomp.h | 1 +
re
exactly what seccomp logs through the audit subsystem. Support for this
level of logging configuration will come in a future patch.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
kernel/seccomp.c | 50 ++
1 file changed, 50 insertion
On 01/04/2017 02:42 AM, Paul Moore wrote:
> On Tue, Jan 3, 2017 at 8:31 AM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> On 01/02/2017 04:47 PM, Paul Moore wrote:
>>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote:
>>>> Thi
On 01/04/2017 04:44 AM, Kees Cook wrote:
> On Tue, Jan 3, 2017 at 1:31 PM, Paul Moore wrote:
>> On Tue, Jan 3, 2017 at 4:21 PM, Kees Cook wrote:
>>> On Tue, Jan 3, 2017 at 1:13 PM, Paul Moore wrote:
On Tue, Jan 3, 2017 at
On 01/02/2017 11:57 PM, Andy Lutomirski wrote:
> On Mon, Jan 2, 2017 at 8:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch set creates the basis for auditing information specific to a given
>> seccomp return action and then starts auditing SECCOMP_RET_ER
On 01/02/2017 04:47 PM, Paul Moore wrote:
> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote:
>> This patch set creates the basis for auditing information specific to a given
>> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return
On 2017-01-02 12:20:53, Steve Grubb wrote:
> On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote:
> > Generate audit records for SECCOMP_RET_ERRNO actions, which were
> > previously not audited.
> >
> > Additionally, include the errno value that will be s
Extend the kernel selftests for seccomp to test the newly added
SECCOMP_RET_AUDIT action. The added tests follow the example of existing
tests.
Unfortunately, the tests are not capable of inspecting the audit log to
verify that an audit message was emitted.
Signed-off-by: Tyler Hicks <t
to
a different syscall, then updating the filter and rebuilding the app,
etc.
SECCOMP_RET_AUDIT is considered to be slightly more restrictive than
SECCOMP_RET_ALLOW. The reason is because 'audit before allowing' is more
restrictive than 'silently allowing'.
Signed-off-by: Tyler Hicks <tyhi...@canonical.
Allow application authors to opt into auditing a syscall before allowing it.
This differs slightly from SECCOMP_RET_ALLOW in that an audit message is
generated for the syscall.
It can be useful when initially setting up a seccomp sandbox for your
application if you set the default action to audit
Generate audit records for SECCOMP_RET_ERRNO actions, which were
previously not audited.
Additionally, include the errno value that will be set in the audit
message.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/audit.h | 19 ++-
kernel/auditsc.c
functional change in that "sig=0" is not
printed when auditing seccomp actions other than SECCOMP_RET_KILL.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
include/linux/audit.h | 39 +--
kernel/auditsc.c | 19 +++
This patch set creates the basis for auditing information specific to a given
seccomp return action and then starts auditing SECCOMP_RET_ERRNO return
actions. The audit messages for SECCOMP_RET_ERRNO return actions include the
errno value that will be returned to userspace.
Tyler
--
Linux-audit
[Added Eric to cc]
On 2014-06-06 13:46:48, Tyler Hicks wrote:
On 2014-05-30 17:00:04, Steve Grubb wrote:
On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote:
On 2014-05-30 15:53:49, Steve Grubb wrote:
On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
This patch came from
On 2014-05-30 15:53:49, Steve Grubb wrote:
On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
This patch came from our L3 department. AppArmor LSM is logging using the
common_lsm_audit() call but the audit userspace parsing code expects to see
an SELinux tclass field. This patch
On 2014-05-28 15:33:06, Tony Jones wrote:
This patch came from our L3 department. AppArmor LSM is logging using the
common_lsm_audit()
call but the audit userspace parsing code expects to see an SELinux tclass
field. This patch
doesn't address the lack of support for AppArmor in aureport
On 2014-05-29 11:01:38, Steve Grubb wrote:
On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote:
On 2014-05-28 15:33:06, Tony Jones wrote:
This patch came from our L3 department. AppArmor LSM is logging using the
common_lsm_audit() call but the audit userspace parsing code expects
On 2014-05-28 15:33:06, Tony Jones wrote:
This patch came from our L3 department. AppArmor LSM is logging using the
common_lsm_audit()
call but the audit userspace parsing code expects to see an SELinux tclass
field. This patch
doesn't address the lack of support for AppArmor in aureport
On 2013-07-25 18:02:55, Tyler Hicks wrote:
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message
messages in both functions.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Cc: Al Viro v...@zeniv.linux.org.uk
Cc: Eric Paris epa...@redhat.com
Cc: linux-audit@redhat.com
---
It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ([AUDIT] clean
up audit_receive_msg()) introduced this bug, so I
These patches fix the majority of compiler warnings seen when building audit on
Ubuntu.
The audit codebase rarely checked the return value of asprintf(), which can
cause problems if memory allocation fails. Most of the missing checks are
in libauparse, which is probably fine but who knows what
use ptr as a placeholder and use strndup() to
allocate str. Later in the function a new, non-const pointer is used to
modify str. These changes allow unescape() to still take a const char *
as its input parameter.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
---
src/aureport-options.c |2
. They
are not treated as fatal when the operations fail on during log rotation since
we made sure that they file owner and permissions were correct when originally
opening the log file.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
---
audisp/audispd.c |6 --
src/auditd-event.c | 45
If an error occurs in asprintf(), the contents of the strp variable are
undefined. asprintf()'s return value must be checked and the parameter
passed into asprintf() should be set to NULL upon error.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
---
audisp/audispd.c
On 2012-12-20 13:17:17, Tyler Hicks wrote:
In Ubuntu's current development release, the Python header files have
been split up for multiarch reasons. /usr/include/python2.7/Python.h
includes pyconfig.h, which is in
/usr/include/x86_64-linux-gnu/python2.7/.
I'm not sure if this sort
On 2012-09-11 10:10:35, Tyler Hicks wrote:
On 2012-09-11 09:12:25, Steve Grubb wrote:
On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
On 2012-08-01 00:00:19, Tyler Hicks wrote:
Hello Steve - This is a patch set that allows --disable-listener to be
passed to the configure
On 2012-09-11 09:12:25, Steve Grubb wrote:
On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
On 2012-08-01 00:00:19, Tyler Hicks wrote:
Hello Steve - This is a patch set that allows --disable-listener to be
passed to the configure script to disable the auditd network listener
1 - 100 of 106 matches
Mail list logo