[PATCH v6 3/6] seccomp: Sysctl to configure actions that are allowed to be logged

Tyler Hicks tyhicks at canonical.com
Fri Aug 11 19:33:35 UTC 2017 

On 08/11/2017 02:17 PM, Kees Cook wrote:
> On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
>> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write,
>> +                                         void __user *buffer, size_t *lenp,
>> +                                         loff_t *ppos)
>> +{
>> +       char names[sizeof(seccomp_actions_avail)];
>> +       struct ctl_table table;
>> +       int ret;
>> +
>> +       if (write && !capable(CAP_SYS_ADMIN))
>> +               return -EPERM;
>> +
>> +       memset(names, 0, sizeof(names));
>> +
>> +       if (!write) {
>> +               if (!seccomp_names_from_actions_logged(names, sizeof(names),
>> +                                                      seccomp_actions_logged))
>> +                       return -EINVAL;
>> +       }
>> +
>> +       table = *ro_table;
>> +       table.data = names;
>> +       table.maxlen = sizeof(names);
>> +       ret = proc_dostring(&table, write, buffer, lenp, ppos);
>> +       if (ret)
>> +               return ret;
>> +
>> +       if (write) {
>> +               u32 actions_logged;
>> +
>> +               if (!seccomp_actions_logged_from_names(&actions_logged,
>> +                                                      table.data))
>> +                       return -EINVAL;
>> +
>> +               if (actions_logged & SECCOMP_LOG_ALLOW)
>> +                       return -EINVAL;
>> +
>> +               seccomp_actions_logged = actions_logged;
>> +       }
>> +
>> +       return 0;
>> +}
> 
> One thought here: should "kill" be always forced on during a write?
> This flag effectively cannot be disabled, so listing it (or not) in
> the sysctl may be confusing...

"kill" can be silenced in the current implementation. Lets hammer out
whether or not that's the right thing to do and then we can discuss the
sysctl behavior on write. I don't personally have any concerns about an
admin being able to silence RET_KILL logs but let me know if you are
against it.

Tyler

> 
> -Kees
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170811/72a512a6/attachment.sig>

More information about the Linux-audit mailing list