From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tyler Hicks Subject: Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl Date: Thu, 3 May 2018 17:36:18 -0500 Message-ID: References: <1525276400-7161-1-git-send-email-tyhicks@canonical.com> <2397134.HQDQRr6h1X@x2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9kzE7y2OHYL2UW2KxreBjb6n6R9MuqpRR" Return-path: In-Reply-To: <2397134.HQDQRr6h1X@x2> Sender: linux-kernel-owner@vger.kernel.org To: Steve Grubb , Paul Moore Cc: linux-kernel@vger.kernel.org, Kees Cook , Andy Lutomirski , Will Drewry , Eric Paris , Jonathan Corbet , linux-audit@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org List-Id: linux-audit@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9kzE7y2OHYL2UW2KxreBjb6n6R9MuqpRR Content-Type: multipart/mixed; boundary="Z6x5O0M52QzElqflQ6iCsyOYlIR0un3Cs"; protected-headers="v1" From: Tyler Hicks To: Steve Grubb , Paul Moore Cc: linux-kernel@vger.kernel.org, Kees Cook , Andy Lutomirski , Will Drewry , Eric Paris , Jonathan Corbet , linux-audit@redhat.com, linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org Message-ID: Subject: Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl References: <1525276400-7161-1-git-send-email-tyhicks@canonical.com> <2397134.HQDQRr6h1X@x2> In-Reply-To: <2397134.HQDQRr6h1X@x2> --Z6x5O0M52QzElqflQ6iCsyOYlIR0un3Cs Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 05/03/2018 04:12 PM, Steve Grubb wrote: > On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote: >> On 05/03/2018 03:48 PM, Paul Moore wrote: >>> On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote= : >>>> On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote: >>>>> On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wro= te: >>>>>> On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler Hicks wrote: >>>>>>> The decision to log a seccomp action will always be subject to th= e >>>>>>> value of the kernel.seccomp.actions_logged sysctl, even for proce= sses >>>>>>> that are being inspected via the audit subsystem, in an upcoming >>>>>>> patch. >>>>>>> Therefore, we need to emit an audit record on attempts at writing= to >>>>>>> the >>>>>>> actions_logged sysctl when auditing is enabled. >>>>>>> >>>>>>> This patch updates the write handler for the actions_logged sysct= l to >>>>>>> emit an audit record on attempts to write to the sysctl. Successf= ul >>>>>>> writes to the sysctl will result in a record that includes a >>>>>>> normalized >>>>>>> list of logged actions in the "actions" field and a "res" field e= qual >>>>>>> to >>>>>>> 0. Unsuccessful writes to the sysctl will result in a record that= >>>>>>> doesn't include the "actions" field and has a "res" field equal t= o 1. >>>>>>> >>>>>>> Not all unsuccessful writes to the sysctl are audited. For exampl= e, >>>>>>> an >>>>>>> audit record will not be emitted if an unprivileged process attem= pts >>>>>>> to >>>>>>> open the sysctl file for reading since that access control check = is >>>>>>> not >>>>>>> part of the sysctl's write handler. >>>>>>> >>>>>>> Below are some example audit records when writing various strings= to >>>>>>> the >>>>>>> actions_logged sysctl. >>>>>>> >>>>>>> Writing "not-a-real-action", when the kernel.seccomp.actions_logg= ed >>>>>>> sysctl previously was "kill_process kill_thread trap errno trace >>>>>>> log", >>>>>>> >>>>>>> emits this audit record: >>>>>>> type=3DCONFIG_CHANGE msg=3Daudit(1525275273.537:130): op=3Dsecco= mp-logging >>>>>>> old-actions=3Dkill_process,kill_thread,trap,errno,trace,log res=3D= 0 >>>>>>> >>>>>>> If you then write "kill_process kill_thread errno trace log", thi= s >>>>>>> audit >>>>>>> >>>>>>> record is emitted: >>>>>>> type=3DCONFIG_CHANGE msg=3Daudit(1525275310.208:136): op=3Dsecco= mp-logging >>>>>>> actions=3Dkill_process,kill_thread,errno,trace,log >>>>>>> old-actions=3Dkill_process,kill_thread,trap,errno,trace,log res=3D= 1 >>>>>>> >>>>>>> If you then write the string "log log errno trace kill_process >>>>>>> kill_thread", which is unordered and contains the log action twic= e, >>>>>>> >>>>>>> it results in the same actions value as the previous record: >>>>>>> type=3DCONFIG_CHANGE msg=3Daudit(1525275325.613:142): op=3Dsecco= mp-logging >>>>>>> actions=3Dkill_process,kill_thread,errno,trace,log >>>>>>> old-actions=3Dkill_process,kill_thread,errno,trace,log res=3D1 >>>>>>> >>>>>>> No audit records are generated when reading the actions_logged >>>>>>> sysctl. >>>>>> >>>>>> ACK for the format of the records. >>>>> >>>>> I just wanted to clarify the record format with you Steve ... the >>>>> "actions" and "old-actions" fields may not be included in the recor= d >>>>> in cases where there is an error building the action value string, = are >>>>> you okay with that or would you prefer the fields to always be >>>>> included but with a "?" for the value? >>>> >>>> A ? would be more in line with how other things are handled. >>> >>> That's what I thought. >>> >>> Would you mind putting together a v3 Tyler? :) >> >> To be clear, "?" is only to be used when the call to >> seccomp_names_from_actions_logged() fails, right? >=20 > Yes and that is a question mark with no quotes in the audit record. >=20 >> If the sysctl write fails for some other reason, such as when an inval= id >> action name is specified, can you confirm that you still want *no* >> "actions" field,=20 >=20 > Its best that fields do not disappear. In the case of invalid input, yo= u can=20 > just leave the new value as ? so that nothing malicious can be injected= into=20 > the logs >=20 >> the "old-actions" field to be the value prior to attempting the update= to >> the sysctl, and res to be 0? >=20 > Yes I came up with one more question after hitting a corner case while testin= g. It is valid to write an empty string to the sysctl. If the sysctl was set to "errno" and then later set to "", you'd see this with the current revision: type=3DCONFIG_CHANGE msg=3Daudit(1525385824.643:173): op=3Dseccomp-loggi= ng actions=3D old-actions=3Derrno res=3D1 Is that what you want or should the value of the "actions" field be something be something like this: actions=3D(none) Tyler --Z6x5O0M52QzElqflQ6iCsyOYlIR0un3Cs-- --9kzE7y2OHYL2UW2KxreBjb6n6R9MuqpRR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEPgU+cN5AsTrekT5+1pIAPaoCxwoFAlrrjuIACgkQ1pIAPaoC xwqu0BAAwyRlqGQ5TStWh6CvMpMXQqKCq8yZysZNTnq2jjwpgNro/Hx4dYIBkHe4 C+FpRdV4w726wrp0GR9iR4UCAUeCKS6KfAMFech6fh4kdRX8mlN9txrUf4ZpiBr0 NT6IPCD0B/fRdxP9/FDwWSnIvD8TjcWD4XtW5v90NZMrUvVcfr6OugWVbzsgTdmK w4Fvbac1FmV4g/qr616UXF6O53JPDJ1+40kRVMWYciz5wRRcbxZEru8HcE0FHaKX xPVzUTnfi9ikoTGPIDxdKt4iabgxwv+95TIhBuGSt9Zi9sAovD5lQ/3Up6uGEOZ9 ou6wk9Sco/M8vdUM20479uV4JDaP+vL2bkeTa8LHhumFH3r0Y3Mi7WBww0MNJjXV R2UIkzI/xmE7c8PaKVyiKsvKdjyDHmQZqJyrLhSUPpa1AEQRLyto/ynItA1wRcF8 Ul+BvNbEhhnyAUGVvcQ4NbLRSja4i+iXTzRKeKjlA1im1UH4TVTCXb2tsMtPfTZM 45gytgvY2z/+TR8z8ABWNhEdmu+eJ8pidbrXhe9iLXTBVgB1EftV5TSM1ZrWsD1j c0GEbB0RCwLuDeCt71vgOPIisXQ4nd7heAbY25o8bLl/v7J17WQYuf5WAFmkVvvR 6SIPAcPfewR9e680zu5GWG/mWU2TPokm2GGQuw/2WyCS/5rEfQs= =1oYl -----END PGP SIGNATURE----- --9kzE7y2OHYL2UW2KxreBjb6n6R9MuqpRR--