Limiting SECCOMP audit events
Steve Grubb
sgrubb at redhat.com
Fri Dec 15 16:09:39 UTC 2017
On Friday, December 15, 2017 10:47:14 AM EST Tyler Hicks wrote:
> > Looks good to me but two things:
> >
> > * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> > have two functions anymore.
> >
> > * Are we sure about removing the audit_enabled check? People got pretty
> > upset when it wasn't there in the past.
>
> Do you have any references to the complaints so that we can understand
> them better? I remember being surprised by commit 96368701 adding the
> audit_enabled check (my fault for not watching the list closer) and
> having to revert it in Ubuntu with a distro patch.
>
>
> After sleeping on it for a night, I'm now unsure if the patch I sent in
> this thread is what you guys really want. I'll go back to talking in
> pseudocode. This is what we have in 4.14:
>
> if action == RET_ALLOW:
> do not log
> else if action == RET_KILL && RET_KILL in actions_logged:
> log
> else if action == RET_LOG && RET_LOG in actions_logged:
> log
> else if filter-requests-logging && action in actions_logged:
> log
> else if audit_enabled && process-is-being-audited:
> log
> else:
> do not log
>
> This is what the patch in this thread does:
>
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,5 @@
> log
> else if filter-requests-logging && action in actions_logged:
> log
> - else if audit_enabled && process-is-being-audited:
> - log
> else:
> do not log
>
> Instead of that change, now I'm wondering if this is what you really
> want:
>
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,8 @@
> log
> else if filter-requests-logging && action in actions_logged:
> log
> - else if audit_enabled && process-is-being-audited:
> + else if audit_enabled && process-is-being-audited &&
> + action in actions_logged:
> log
> else:
> do not log
>
> After refactoring the 'action in actions_logged' check, it would leave
> us with this:
>
> if action == RET_ALLOW:
> do not log
> else if action not in actions_logged:
> do not log
Yeah, this would let us drop the trap return. While errno can lead to a lot of
logging, in practice I just don't see them very often if ever.
-Steve
> else if action == RET_KILL:
> log
> else if action == RET_LOG:
> log
> else if filter-requests-logging:
> log
> else if audit_enabled && process-is-being-audited:
> log
> else:
> do not log
More information about the Linux-audit
mailing list