Limiting SECCOMP audit events

Steve Grubb sgrubb at redhat.com
Fri Dec 15 16:09:39 UTC 2017 

On Friday, December 15, 2017 10:47:14 AM EST Tyler Hicks wrote:
> > Looks good to me but two things:
> > 
> > * Change the name of __audit_seccomp() to audit_seccomp() since we don't
> > have two functions anymore.
> > 
> > * Are we sure about removing the audit_enabled check? People got pretty
> > upset when it wasn't there in the past.
> 
> Do you have any references to the complaints so that we can understand
> them better? I remember being surprised by commit 96368701 adding the
> audit_enabled check (my fault for not watching the list closer) and
> having to revert it in Ubuntu with a distro patch.
> 
> 
> After sleeping on it for a night, I'm now unsure if the patch I sent in
> this thread is what you guys really want. I'll go back to talking in
> pseudocode. This is what we have in 4.14:
> 
>   if action == RET_ALLOW:
>     do not log
>   else if action == RET_KILL && RET_KILL in actions_logged:
>     log
>   else if action == RET_LOG && RET_LOG in actions_logged:
>     log
>   else if filter-requests-logging && action in actions_logged:
>     log
>   else if audit_enabled && process-is-being-audited:
>     log
>   else:
>     do not log
> 
> This is what the patch in this thread does:
> 
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,5 @@
>      log
>    else if filter-requests-logging && action in actions_logged:
>      log
> -  else if audit_enabled && process-is-being-audited:
> -    log
>    else:
>      do not log
> 
> Instead of that change, now I'm wondering if this is what you really
> want:
> 
> --- a/seccomp-log.pseudo
> +++ b/seccomp-log.pseudo
> @@ -6,7 +6,8 @@
>      log
>    else if filter-requests-logging && action in actions_logged:
>      log
> -  else if audit_enabled && process-is-being-audited:
> +  else if audit_enabled && process-is-being-audited &&
> +          action in actions_logged:
>      log
>    else:
>      do not log
> 
> After refactoring the 'action in actions_logged' check, it would leave
> us with this:
> 
>   if action == RET_ALLOW:
>     do not log
>   else if action not in actions_logged:
>     do not log

Yeah, this would let us drop the trap return. While errno can lead to a lot of 
logging, in practice I just don't see them very often if ever.

-Steve

>   else if action == RET_KILL:
>     log
>   else if action == RET_LOG:
>     log
>   else if filter-requests-logging:
>     log
>   else if audit_enabled && process-is-being-audited:
>     log
>   else:
>     do not log

More information about the Linux-audit mailing list