From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tony Jones Subject: Re: seccomp and audit_enabled Date: Tue, 13 Oct 2015 10:18:59 -0700 Message-ID: <561D3D03.30300@suse.de> References: <56188AE9.4030306@suse.de> <9092019.92r82W6k9o@sifl> <4636418.ofTBd0bpCf@sifl> <561BF39B.5050209@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t9DHPwNs023602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 13 Oct 2015 13:25:58 -0400 Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by mx1.redhat.com (Postfix) with ESMTPS id 8462891746 for ; Tue, 13 Oct 2015 17:25:56 +0000 (UTC) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Paul Moore , Kees Cook Cc: linux-security-module , linux-audit@redhat.com List-Id: linux-audit@redhat.com On 10/13/2015 09:11 AM, Paul Moore wrote: > On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote: >> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote: >>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001 >>> From: Tony Jones >>> Date: Sat, 10 Oct 2015 19:30:49 -0700 >>> Subject: [PATCH] Don't log seccomp messages when audit is disabled >>> >>> Don't log seccomp messages when audit is disabled. >> >> This is intentional since violation of a seccomp policy ought to >> indicate a misbehaving program, and we want these to always be >> presented to the system log, regardless of audit being enabled. (I'd >> like to even produce system log entries when there is no CONFIG_AUDIT >> too, but that's for the future.) > > I agree. As I mentioned earlier these AUDIT_SECCOMP records are very handy. > >>> diff --git a/include/linux/audit.h b/include/linux/audit.h >>> index b2abc99..8f70f3f 100644 >>> --- a/include/linux/audit.h >>> +++ b/include/linux/audit.h >>> @@ -113,6 +113,12 @@ struct filename; >>> >>> extern void audit_log_session_info(struct audit_buffer *ab); >>> >>> +#ifdef CONFIG_AUDIT >>> +extern u32 audit_enabled; >>> +#else >>> +#define audit_enabled 0 >>> +#endif >>> + >>> #ifdef CONFIG_AUDIT_COMPAT_GENERIC >>> #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) >>> #else >>> @@ -213,7 +219,7 @@ void audit_core_dumps(long signr); >>> static inline void audit_seccomp(unsigned long syscall, long signr, int code) >>> { >>> /* Force a record to be reported if a signal was delivered. */ >>> - if (signr || unlikely(!audit_dummy_context())) >> >> What is dummy_context part of this actually do? I don't think reports >> should be made when signr == 0. > > The idea behind audit_dummy_context() is to skip auditing when there > are no audit rules configured, it's a performance tweak. My guess is > that Tony's system loads some audit configuration at boot which > enables audit (the kernel starts with audit_enabled=0 ...) and loads a > few syscall filter rules which are enough to make > audit_dummy_context() return false. Can you confirm that Tony? No, it's the default audit.rules (-D, -b320). No actual rules loaded. Let me add some instrumentation and figure out what's going on. auditd is masked (via systemd) but systemd-journal seems to set audit_enabled=1 during startup (at least on our systems). > As for logging seccomp actions when signr == 0, I personally think > that still might be useful as the normal behavior has been altered; I > tend to think any action != ALLOW is worth logging. However, I'm open > to discussion on this if others feel strongly. > >>> + if (audit_enabled && (signr || unlikely(!audit_dummy_context()))) >>> __audit_seccomp(syscall, signr, code); >>> } I'm of the opinion that nothing should get output (through the audit system) if audit_enabled == 0. What you advocate calls for more than 2 possible states for audit_enabled or logging the information through another mechanism than audit. Tony