Re: seccomp and audit_enabled

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tony Jones <tonyj@suse.de>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
	linux-audit@redhat.com
Subject: Re: seccomp and audit_enabled
Date: Tue, 13 Oct 2015 12:46:47 -0700	[thread overview]
Message-ID: <561D5FA7.9040202@suse.de> (raw)
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>

On 10/13/2015 12:19 PM, Paul Moore wrote:

>> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on.  auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on our systems).
> 
> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far.  I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't looked at
> how systemd/auditctl start/config the system too closely.

I'll debug what's going on (easy) on the test system and report back.  I'm curious
too.  Have a bad cold today so I'm moving slower than normal.

> I don't really care if it is audit or not (although we will need to
> output something via audit if it is enabled to keep the CC crowd
> happy); if you feel strongly that it isn't audit, we can just make it
> a printk, that would work well with Kees' goals.  To me the important
> point here is that we send a message when seccomp alters the behavior
> of the syscall (action != ALLOW).

Yes, if audit is enabled, you should totally be able to use it. Rest sounds good also.

thanks!

Tony

next prev parent reply	other threads:[~2015-10-13 19:53 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-10  3:50 seccomp and audit_enabled Tony Jones
2015-10-12 15:29 ` Paul Moore
2015-10-12 15:40   ` Paul Moore
2015-10-12 17:53     ` Tony Jones
2015-10-12 20:45       ` Kees Cook
2015-10-13 16:11         ` Paul Moore
2015-10-13 17:18           ` Tony Jones
2015-10-13 19:19             ` Paul Moore
2015-10-13 19:46               ` Tony Jones [this message]
2015-10-13 20:03               ` Steve Grubb
2015-11-06 21:45                 ` Tony Jones
2015-11-06 21:36               ` Tony Jones
2015-11-20 17:51                 ` Tony Jones
2015-11-20 21:26                   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=561D5FA7.9040202@suse.de \
    --to=tonyj@suse.de \
    --cc=linux-audit@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.