Re: [RFC PATCH v8 07/17] ipe: add auditing support

On 2022-06-08 12:01:19, Deven Bowers wrote: > +/** > + * getaudit: Read handler for the securityfs node, "ipe/success_audit" > + * @f: Supplies a file structure representing the securityfs node. > + * @data: Supplies a buffer passed to the read syscall > + * @len: Supplies the length of @data > +

Re: [PATCH] ima: Rename internal audit rule functions

On 2020-06-29 17:30:03, Mimi Zohar wrote: > [Cc'ing the audit mailing list] > > On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote: > > > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > > index ff2bf57ff0c7..5d62ee8319f4 100644 >

[PATCH v3 4/4] seccomp: Don't special case audited processes when logging

Grubb <sgr...@redhat.com> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 14 ++

[PATCH v3 0/4] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action.

[PATCH v3 1/4] seccomp: Separate read and write code for actions_logged sysctl

evaluates to true. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/

[PATCH v3 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

reading the actions_logged sysctl. Suggested-by: Steve Grubb <sgr...@redhat.com> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 5 + kernel/auditsc.c | 20 ++ kernel/seccomp.c | 58 ++

[PATCH v3 2/4] seccomp: Configurable separator for the actions_logged string

. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f4afe67..b36ac1e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1135,10 +1135,11 @@ static

Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/03/2018 04:12 PM, Steve Grubb wrote: > On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote: >> On 05/03/2018 03:48 PM, Paul Moore wrote: >>> On Thu, May 3, 2018 at 4:42 PM, Steve Grubb <sgr...@redhat.com> wrote: >>>> On Thursday, May 3,

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/01/2018 12:25 PM, Paul Moore wrote: > On Tue, May 1, 2018 at 12:41 PM, Steve Grubb <sgr...@redhat.com> wrote: >> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: >>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>>

[PATCH v2 4/4] seccomp: Don't special case audited processes when logging

Grubb <sgr...@redhat.com> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 14 ++

[PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

s,kill_thread,errno,trace,log res=1 No audit records are generated when reading the actions_logged sysctl. Suggested-by: Steve Grubb <sgr...@redhat.com> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 5 + kernel/auditsc.c | 25

[PATCH v2 2/4] seccomp: Configurable separator for the actions_logged string

. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f4afe67..b36ac1e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1135,10 +1135,11 @@ static

[PATCH v2 1/4] seccomp: Separate read and write code for actions_logged sysctl

evaluates to true. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/

[PATCH v2 0/4] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action.

[PATCH 0/3] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action.

[PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

in the same value as the previous example for the actions field: type=CONFIG_CHANGE msg=audit(1524601204.365:152): pid=1704 uid=0 auid=1000 tty=pts8 ses=1 comm="tee" exe="/usr/bin/tee" op=seccomp-logging actions="kill_process kill_thread errno trace log" res=0

[PATCH 3/3] seccomp: Don't special case audited processes when logging

Grubb <sgr...@redhat.com> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 2 +- kernel/seccomp.c

[PATCH 1/3] seccomp: Separate read and write code for actions_logged sysctl

evaluates to true. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/

Re: Limiting SECCOMP audit events

>> On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote: >>> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>>> On 01/02/2018 02:03 PM, Steve Grubb wrote: >>>>> Hello, >>>>> >>>>>

Re: Limiting SECCOMP audit events

:02:19 AM EST Steve Grubb wrote: >> On Thursday, December 14, 2017 6:06:30 PM EST Tyler Hicks wrote: >>> On 12/14/2017 09:19 AM, Steve Grubb wrote: >>>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote: >>>>> On 12/13/2017 05:58 PM, Steve Gr

Re: Limiting SECCOMP audit events

On 12/15/2017 08:08 AM, Paul Moore wrote: > On December 14, 2017 6:06:49 PM Tyler Hicks <tyhi...@canonical.com> wrote: > >> On 12/14/2017 09:19 AM, Steve Grubb wrote: >>> On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote: >>> >>&g

Re: Limiting SECCOMP audit events

On 12/14/2017 09:19 AM, Steve Grubb wrote: > On Thursday, December 14, 2017 10:04:48 AM EST Tyler Hicks wrote: > >> On 12/13/2017 05:58 PM, Steve Grubb wrote: > >> > Over the last month, the amount of seccomp events in audit logs is > >> > sky-rocketing. I ha

Re: Limiting SECCOMP audit events

On 12/13/2017 05:58 PM, Steve Grubb wrote: > Hello, > >   > > Over the last month, the amount of seccomp events in audit logs is > sky-rocketing. I have over a million events in the last 2 days. Most of > this is generated by firefox and qt webkit. > >   > > I am wondering if the audit package

Re: Unique audit record type ranges for individual LSMs

On 12/06/2017 12:47 PM, Casey Schaufler wrote: > On 12/6/2017 9:51 AM, Tyler Hicks wrote: >> Hello - The AppArmor project would like for AppArmor audit records to be >> supported by the audit-userspace tools, such as ausearch, but it >> requires some coordination between the

Unique audit record type ranges for individual LSMs

Hello - The AppArmor project would like for AppArmor audit records to be supported by the audit-userspace tools, such as ausearch, but it requires some coordination between the linux-security-module and linux-audit lists. This was raised as a feature request years ago in Ubuntu and more recently

Re: [PATCH v6 3/6] seccomp: Sysctl to configure actions that are allowed to be logged

On 08/11/2017 02:17 PM, Kees Cook wrote: > On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int >> write, >> + void _

[PATCH v6 6/6] seccomp: Action to log before allowing

== RET_KILL && RET_KILL in actions_logged: log else if action == RET_LOG && RET_LOG in actions_logged: log else if filter-requests-logging && action in actions_logged: log else if audit_enabled && process-is-being-audited: log else: do not log

[PATCH v6 4/6] seccomp: Selftest for detection of filter flag support

that the flag is invalid. This patch adds a selftest that can be used to test this method of detection in userspace. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 59 +++ 1 file changed, 59 insertions(+) diff

[PATCH v6 1/6] seccomp: Sysctl to display available actions

re exactly what seccomp logs through the audit subsystem. Support for this level of logging configuration will come in a future patch. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/sysctl/kernel.txt| 1 + Documentation/userspace-api/seccomp

[PATCH v6 0/6] Improved seccomp logging

This patch set aims to improve logging in seccomp by: 1) Empowering administrators to be able to permit or quiet logging of specific seccomp actions 2) Allowing applications to request logging of all actions, except for RET_ALLOW, in the filter being loaded (subject to the

[PATCH v6 5/6] seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

log else if filter-requests-logging && action in actions_logged: log else if audit_enabled && process-is-being-audited: log else: do not log Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/seccomp.h | 3 +- include/uapi/linux/s

[PATCH v6 2/6] seccomp: Operation for checking if an action is available

this new operation, -1 is returned with errno set to -EINVAL meaning that userspace code will have the ability to differentiate between the two error cases. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Suggested-by: Andy Lutomirski <l...@amacapital.net> --- include/uapi/lin

[PATCH v6 3/6] seccomp: Sysctl to configure actions that are allowed to be logged

ns_logged: log else if audit_enabled && task-is-being-audited: log else: do not log Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/userspace-api/seccomp_filter.rst | 18 +++ include/linux/audit.h | 6 +-

Re: [PATCH v5 2/6] seccomp: Sysctl to configure actions that are allowed to be logged

On 08/04/2017 05:24 PM, Tyler Hicks wrote: > On 08/03/2017 11:33 AM, Kees Cook wrote: >> On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>> Adminstrators can write to this sysctl to set the seccomp actions that >>> are allowed to

Re: [PATCH v5 2/6] seccomp: Sysctl to configure actions that are allowed to be logged

On 2017-08-04 17:24:00, Tyler Hicks wrote: > On 08/03/2017 11:33 AM, Kees Cook wrote: > > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: > >> Adminstrators can write to this sysctl to set the seccomp actions that > >> are allowed to

Re: [PATCH v5 6/6] seccomp: Selftest for detection of filter flag support

On 08/03/2017 11:58 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Userspace needs to be able to reliably detect the support of a filter >> flag. A good way of doing that is by attempting to enter filter mode, &

Re: [PATCH v5 5/6] seccomp: Action to log before allowing

On 08/03/2017 11:56 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing >> the syscall. At the implementation level, this action is identic

Re: [PATCH v5 3/6] seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

On 08/03/2017 11:51 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Add a new filter flag, SECCOMP_FILTER_FLAG_LOG, that enables logging for >> all actions except for SECCOMP_RET_ALLOW for the given filter. >>

Re: [PATCH v5 4/6] seccomp: Operation for checking if an action is available

On 08/03/2017 11:54 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Userspace code that needs to check if the kernel supports a given action >> may not be able to use the /proc/sys/kernel/seccomp/actions_avail >&

Re: [PATCH v5 2/6] seccomp: Sysctl to configure actions that are allowed to be logged

On 08/03/2017 11:33 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Adminstrators can write to this sysctl to set the seccomp actions that >> are allowed to be logged. Any actions not found in this sysctl

Re: [PATCH v5 1/6] seccomp: Sysctl to display available actions

On 08/03/2017 11:37 AM, Kees Cook wrote: > On Fri, Jul 28, 2017 at 1:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch creates a read-only sysctl containing an ordered list of >> seccomp actions that the kernel supports. The ordering, from left to >> right,

[PATCH v5 3/6] seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

byte hole (unavoidable) and consumes one of those bytes. Unfortunately, the tests added for SECCOMP_FILTER_FLAG_LOG are not capable of inspecting the audit log to verify that the actions taken in the filter were logged. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- *

[PATCH v5 6/6] seccomp: Selftest for detection of filter flag support

that the flag is invalid. This patch adds a selftest that can be used to test this method of detection in userspace. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes since v4: - This is a new patch tools/testing/selftests/seccomp/seccomp_bpf.c | 58

[PATCH v5 5/6] seccomp: Action to log before allowing

restrictive than quietly allowing. Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of inspecting the audit log to verify that the syscall was logged. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Change since v4: - folded the previously separate selftest

[PATCH v5 2/6] seccomp: Sysctl to configure actions that are allowed to be logged

ing audited, meaning that an audit context has been allocated for the task, seccomp will log all actions other than SECCOMP_RET_ALLOW despite the value of actions_logged. This exception preserves the existing auditing behavior of tasks with an allocated audit context. Signed-off-by: Tyler Hicks &l

[PATCH v5 1/6] seccomp: Sysctl to display available actions

re exactly what seccomp logs through the audit subsystem. Support for this level of logging configuration will come in a future patch. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes since v4: - move device_initcall() into CONFIG_SYSCTL ifdef - mark the seccomp_acti

Re: [PATCH v3 0/4] Improved seccomp logging

On 04/27/2017 07:42 PM, Kees Cook wrote: > On Thu, Apr 27, 2017 at 3:17 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Quick update... I finished the move from the high-water mark >> log_max_action sysctl to the bitmask based actions_logged sysctl. > > Awesome! >

Re: [PATCH v3 0/4] Improved seccomp logging

On 04/10/2017 10:59 PM, Kees Cook wrote: > On Fri, Apr 7, 2017 at 4:46 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 04/07/2017 05:46 PM, Kees Cook wrote: >>> Does the app-controlled bitmask apply to the filter, the process, the >>> process tree, or some

Re: [PATCH v3 0/4] Improved seccomp logging

On 04/10/2017 10:57 AM, Andy Lutomirski wrote: > On Fri, Apr 7, 2017 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 02/22/2017 12:46 PM, Kees Cook wrote: >>> On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote: >>>

Re: [PATCH v3 0/4] Improved seccomp logging

On 04/07/2017 05:46 PM, Kees Cook wrote: > On Fri, Apr 7, 2017 at 3:16 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 02/22/2017 12:46 PM, Kees Cook wrote: >>> On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote: >>>> On Wed, F

Re: [PATCH v3 0/4] Improved seccomp logging

On 02/22/2017 12:46 PM, Kees Cook wrote: > On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook <keesc...@chromium.org> wrote: >> On Wed, Feb 15, 2017 at 7:24 PM, Andy Lutomirski <l...@amacapital.net> wrote: >>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonica

Re: [PATCH v4 2/4] seccomp: Add sysctl to configure actions that should be logged

On 02/16/2017 12:40 PM, Tyler Hicks wrote: > On 02/15/2017 07:10 PM, Kees Cook wrote: >> On Mon, Feb 13, 2017 at 7:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >>> index e36dfe9..270a227 100644 >>&g

Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions

On 02/16/2017 01:01 PM, Andy Lutomirski wrote: > On Thu, Feb 16, 2017 at 10:47 AM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 02/15/2017 09:14 PM, Andy Lutomirski wrote: >>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>>

Re: [PATCH v3 0/4] Improved seccomp logging

On 02/15/2017 09:24 PM, Andy Lutomirski wrote: > On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch set is the third revision of the following two previously >> submitted patch sets: >> >> v1: >> http://lkml.kernel.

Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions

On 02/15/2017 09:14 PM, Andy Lutomirski wrote: > On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch creates a read-only sysctl containing an ordered list of >> seccomp actions that the kernel supports. The ordering, from left to >>

Re: [PATCH v3 1/4] seccomp: Add sysctl to display available actions

On 02/15/2017 07:00 PM, Kees Cook wrote: > On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch creates a read-only sysctl containing an ordered list of >> seccomp actions that the kernel supports. The ordering, from left to >> right,

Re: [PATCH v4 2/4] seccomp: Add sysctl to configure actions that should be logged

On 02/15/2017 07:10 PM, Kees Cook wrote: > On Mon, Feb 13, 2017 at 7:55 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> diff --git a/kernel/seccomp.c b/kernel/seccomp.c >> index e36dfe9..270a227 100644 >> --- a/kernel/seccomp.c >> +++ b/kernel/seccomp.c &g

[PATCH v4 0/4] Improved seccomp logging

tl - Patch 3 + Put some space between RET_LOG and RET_ALLOW for future actions + Separate the RET_ALLOW and RET_LOG cases in __seccomp_filter() - Patch 4 + Adjust the selftests for the updated RET_LOG value Tyler Tyler Hicks (4): seccomp: Add sysctl to display available actions se

[PATCH v4 2/4] seccomp: Add sysctl to configure actions that should be logged

r of tasks with an allocated audit context. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 21 ++ include/linux/audit.h | 6 +- kernel/seccomp.c | 123 - 3 files changed

[PATCH v4 3/4] seccomp: Create an action to log before allowing

be written to the max_action_to_log sysctl in order to get a list of logged actions without the, potentially larger, set of allowed actions. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 6 ++ include/uapi/linux/seccomp.h | 1 +

[PATCH v4 4/4] seccomp: Add tests for SECCOMP_RET_LOG

Extend the kernel selftests for seccomp to test the newly added SECCOMP_RET_LOG action. The added tests follow the example of existing tests. Unfortunately, the tests are not capable of inspecting the audit log to verify that the syscall was logged. Signed-off-by: Tyler Hicks <t

[PATCH v4 1/4] seccomp: Add sysctl to display available actions

re exactly what seccomp logs through the audit subsystem. Support for this level of logging configuration will come in a future patch. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 16 ++ Documentation/sysctl/kernel.txt| 1 +

[PATCH v3 2/4] seccomp: Add sysctl to configure actions that should be logged

r of tasks with an allocated audit context. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 21 ++ include/linux/audit.h | 6 +- kernel/seccomp.c | 123 - 3 files changed

[PATCH v3 4/4] seccomp: Add tests for SECCOMP_RET_LOG

Extend the kernel selftests for seccomp to test the newly added SECCOMP_RET_LOG action. The added tests follow the example of existing tests. Unfortunately, the tests are not capable of inspecting the audit log to verify that the syscall was logged. Signed-off-by: Tyler Hicks <t

[PATCH v3 3/4] seccomp: Create an action to log before allowing

be written to the max_action_to_log sysctl in order to get a list of logged actions without the, potentially larger, set of allowed actions. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 6 ++ include/uapi/linux/seccomp.h | 1 +

Re: [PATCH v2 1/4] seccomp: Add sysctl to display available actions

On 02/07/2017 06:43 PM, Kees Cook wrote: > On Tue, Feb 7, 2017 at 4:25 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 02/07/2017 06:03 PM, Kees Cook wrote: >>> On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >>>> This p

Re: [PATCH v2 3/4] seccomp: Create an action to log before allowing

On 02/10/2017 06:08 PM, Kees Cook wrote: > On Fri, Feb 10, 2017 at 4:01 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 02/07/2017 06:33 PM, Kees Cook wrote: >>> This adds to UAPI, so it'd be good to think for a moment about how >>> this would work on old

Re: [PATCH v2 3/4] seccomp: Create an action to log before allowing

On 02/07/2017 06:33 PM, Kees Cook wrote: > On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing >> the syscall. At the implementation level, this action is identical to >> the

Re: [PATCH v2 2/4] seccomp: Add sysctl to configure actions that should be logged

On 02/07/2017 06:24 PM, Kees Cook wrote: > On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> Administrators can write to this sysctl to set the maximum seccomp >> action that should be logged. Any actions with values greater than >> w

Re: [PATCH v2 1/4] seccomp: Add sysctl to display available actions

On 02/07/2017 06:03 PM, Kees Cook wrote: > On Thu, Feb 2, 2017 at 9:37 PM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch creates a read-only sysctl containing an ordered list of >> seccomp actions that the kernel supports. The ordering, from left to >> right,

[PATCH v2 4/4] seccomp: Add tests for SECCOMP_RET_LOG

Extend the kernel selftests for seccomp to test the newly added SECCOMP_RET_LOG action. The added tests follow the example of existing tests. Unfortunately, the tests are not capable of inspecting the audit log to verify that the syscall was logged. Signed-off-by: Tyler Hicks <t

[PATCH v2 2/4] seccomp: Add sysctl to configure actions that should be logged

r of tasks with an allocated audit context. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 6 +-- kernel/seccomp.c | 114 -- 2 files changed, 112 insertions(+), 8 deletions(-) diff --git a/include/linux/a

[PATCH v2 0/4] Improved seccomp logging

This patch set is the second revision of the following two previously submitted patch sets: http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhi...@canonical.com http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhi...@canonical.com The patch set aims to address some known

[PATCH v2 3/4] seccomp: Create an action to log before allowing

be written to the max_action_to_log sysctl in order to get a list of logged actions without the, potentially larger, set of allowed actions. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- Documentation/prctl/seccomp_filter.txt | 6 ++ include/uapi/linux/seccomp.h | 1 +

[PATCH v2 1/4] seccomp: Add sysctl to display available actions

re exactly what seccomp logs through the audit subsystem. Support for this level of logging configuration will come in a future patch. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- kernel/seccomp.c | 50 ++ 1 file changed, 50 insertion

Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions

On 01/04/2017 02:42 AM, Paul Moore wrote: > On Tue, Jan 3, 2017 at 8:31 AM, Tyler Hicks <tyhi...@canonical.com> wrote: >> On 01/02/2017 04:47 PM, Paul Moore wrote: >>> On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote: >>>> Thi

Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions

On 01/04/2017 04:44 AM, Kees Cook wrote: > On Tue, Jan 3, 2017 at 1:31 PM, Paul Moore wrote: >> On Tue, Jan 3, 2017 at 4:21 PM, Kees Cook wrote: >>> On Tue, Jan 3, 2017 at 1:13 PM, Paul Moore wrote: On Tue, Jan 3, 2017 at

Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions

On 01/02/2017 11:57 PM, Andy Lutomirski wrote: > On Mon, Jan 2, 2017 at 8:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch set creates the basis for auditing information specific to a given >> seccomp return action and then starts auditing SECCOMP_RET_ER

Re: [PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions

On 01/02/2017 04:47 PM, Paul Moore wrote: > On Mon, Jan 2, 2017 at 11:53 AM, Tyler Hicks <tyhi...@canonical.com> wrote: >> This patch set creates the basis for auditing information specific to a given >> seccomp return action and then starts auditing SECCOMP_RET_ERRNO return

Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values

On 2017-01-02 12:20:53, Steve Grubb wrote: > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote: > > Generate audit records for SECCOMP_RET_ERRNO actions, which were > > previously not audited. > > > > Additionally, include the errno value that will be s

[PATCH 2/2] seccomp: Add tests for SECCOMP_RET_AUDIT

Extend the kernel selftests for seccomp to test the newly added SECCOMP_RET_AUDIT action. The added tests follow the example of existing tests. Unfortunately, the tests are not capable of inspecting the audit log to verify that an audit message was emitted. Signed-off-by: Tyler Hicks <t

[PATCH 1/2] seccomp: Create an action to audit before allowing

to a different syscall, then updating the filter and rebuilding the app, etc. SECCOMP_RET_AUDIT is considered to be slightly more restrictive than SECCOMP_RET_ALLOW. The reason is because 'audit before allowing' is more restrictive than 'silently allowing'. Signed-off-by: Tyler Hicks <tyhi...@canonical.

[PATCH 0/2] Support auditing while still allowing a syscall

Allow application authors to opt into auditing a syscall before allowing it. This differs slightly from SECCOMP_RET_ALLOW in that an audit message is generated for the syscall. It can be useful when initially setting up a seccomp sandbox for your application if you set the default action to audit

[PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values

Generate audit records for SECCOMP_RET_ERRNO actions, which were previously not audited. Additionally, include the errno value that will be set in the audit message. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 19 ++- kernel/auditsc.c

[PATCH 1/2] seccomp: Allow for auditing functionality specific to return actions

functional change in that "sig=0" is not printed when auditing seccomp actions other than SECCOMP_RET_KILL. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- include/linux/audit.h | 39 +-- kernel/auditsc.c | 19 +++

[PATCH 0/2] Begin auditing SECCOMP_RET_ERRNO return actions

This patch set creates the basis for auditing information specific to a given seccomp return action and then starts auditing SECCOMP_RET_ERRNO return actions. The audit messages for SECCOMP_RET_ERRNO return actions include the errno value that will be returned to userspace. Tyler -- Linux-audit

Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

[Added Eric to cc] On 2014-06-06 13:46:48, Tyler Hicks wrote: On 2014-05-30 17:00:04, Steve Grubb wrote: On Friday, May 30, 2014 10:16:44 PM Tyler Hicks wrote: On 2014-05-30 15:53:49, Steve Grubb wrote: On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: This patch came from

Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

On 2014-05-30 15:53:49, Steve Grubb wrote: On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote: This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch

Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

On 2014-05-28 15:33:06, Tony Jones wrote: This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch doesn't address the lack of support for AppArmor in aureport

Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

On 2014-05-29 11:01:38, Steve Grubb wrote: On Thursday, May 29, 2014 10:31:52 AM Tyler Hicks wrote: On 2014-05-28 15:33:06, Tony Jones wrote: This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects

Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

On 2014-05-28 15:33:06, Tony Jones wrote: This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch doesn't address the lack of support for AppArmor in aureport

Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled

On 2013-07-25 18:02:55, Tyler Hicks wrote: When the audit=1 kernel parameter is absent and auditd is not running, AUDIT_USER_AVC messages are being silently discarded. AUDIT_USER_AVC messages should be sent to userspace using printk(), as mentioned in the commit message

[PATCH] audit: printk USER_AVC messages when audit isn't enabled

messages in both functions. Signed-off-by: Tyler Hicks tyhi...@canonical.com Cc: Al Viro v...@zeniv.linux.org.uk Cc: Eric Paris epa...@redhat.com Cc: linux-audit@redhat.com --- It looks like commit 50397bd1e471391d27f64efad9271459c913de87 ([AUDIT] clean up audit_receive_msg()) introduced this bug, so I

[PATCH 0/3] Fix userspace audit compiler warnings

These patches fix the majority of compiler warnings seen when building audit on Ubuntu. The audit codebase rarely checked the return value of asprintf(), which can cause problems if memory allocation fails. Most of the missing checks are in libauparse, which is probably fine but who knows what

[PATCH 3/3] Fix discards 'const' qualifier from pointer target type warnings

use ptr as a placeholder and use strndup() to allocate str. Later in the function a new, non-const pointer is used to modify str. These changes allow unescape() to still take a const char * as its input parameter. Signed-off-by: Tyler Hicks tyhi...@canonical.com --- src/aureport-options.c |2

[PATCH 2/3] Fix Wunused-return warnings

. They are not treated as fatal when the operations fail on during log rotation since we made sure that they file owner and permissions were correct when originally opening the log file. Signed-off-by: Tyler Hicks tyhi...@canonical.com --- audisp/audispd.c |6 -- src/auditd-event.c | 45

[PATCH 1/3] Don't ignore the return value of asprintf()

If an error occurs in asprintf(), the contents of the strp variable are undefined. asprintf()'s return value must be checked and the parameter passed into asprintf() should be set to NULL upon error. Signed-off-by: Tyler Hicks tyhi...@canonical.com --- audisp/audispd.c

Re: [PATCH] Use python-config to find python include directories

On 2012-12-20 13:17:17, Tyler Hicks wrote: In Ubuntu's current development release, the Python header files have been split up for multiarch reasons. /usr/include/python2.7/Python.h includes pyconfig.h, which is in /usr/include/x86_64-linux-gnu/python2.7/. I'm not sure if this sort

Re: [PATCH 0/5] Build time disabling of auditd network listener

On 2012-09-11 10:10:35, Tyler Hicks wrote: On 2012-09-11 09:12:25, Steve Grubb wrote: On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote: On 2012-08-01 00:00:19, Tyler Hicks wrote: Hello Steve - This is a patch set that allows --disable-listener to be passed to the configure

Re: [PATCH 0/5] Build time disabling of auditd network listener

On 2012-09-11 09:12:25, Steve Grubb wrote: On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote: On 2012-08-01 00:00:19, Tyler Hicks wrote: Hello Steve - This is a patch set that allows --disable-listener to be passed to the configure script to disable the auditd network listener

  1   2   >