From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756476AbdABRoC (ORCPT ); Mon, 2 Jan 2017 12:44:02 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:53030 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756439AbdABRmx (ORCPT ); Mon, 2 Jan 2017 12:42:53 -0500 Date: Mon, 2 Jan 2017 17:42:47 +0000 From: Tyler Hicks To: Steve Grubb Cc: linux-audit@redhat.com, Paul Moore , Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values Message-ID: <20170102174246.GA17677@sec> References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <1483375990-14948-3-git-send-email-tyhicks@canonical.com> <5284369.V7krsaxZyN@x2> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline In-Reply-To: <5284369.V7krsaxZyN@x2> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2017-01-02 12:20:53, Steve Grubb wrote: > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote: > > Generate audit records for SECCOMP_RET_ERRNO actions, which were > > previously not audited. > >=20 > > Additionally, include the errno value that will be set in the audit > > message. > >=20 > > Signed-off-by: Tyler Hicks > > --- > > include/linux/audit.h | 19 ++++++++++++++++++- > > kernel/auditsc.c | 3 +++ > > kernel/seccomp.c | 4 +++- > > 3 files changed, 24 insertions(+), 2 deletions(-) > >=20 > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 8c588c3..6815812 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -87,7 +87,10 @@ struct audit_field { > >=20 > > struct audit_seccomp_info { > > int code; > > - long signr; > > + union { > > + int errno; > > + long signr; > > + }; > > }; > >=20 > > extern int is_audit_feature_set(int which); > > @@ -319,6 +322,20 @@ static inline void audit_inode_child(struct inode > > *parent, } > > void audit_core_dumps(long signr); > >=20 > > +static inline void audit_seccomp_errno(unsigned long syscall, int errn= o, > > + int code) > > +{ > > + if (!audit_enabled) > > + return; > > + > > + if (errno || unlikely(!audit_dummy_context())) { > > + struct audit_seccomp_info info =3D { .code =3D code, > > + .errno =3D errno }; > > + > > + __audit_seccomp(syscall, &info); > > + } > > +} > > + > > static inline void audit_seccomp_signal(unsigned long syscall, long si= gnr, > > int code) > > { > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index b3472f2..db5fc9d 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2426,6 +2426,9 @@ void __audit_seccomp(unsigned long syscall, struct > > audit_seccomp_info *info) audit_log_task(ab); > >=20 > > switch (info->code) { > > + case SECCOMP_RET_ERRNO: > > + audit_log_format(ab, " errno=3D%d", info->errno); > > + break; >=20 > "exit" is the field name that syscalls use to return errno to user space.= I'd > rather not see another field created that maps to the same thing. You can= check > the translation with the auformat utility: Thanks for having a look at the field name I was using. Although I prefer "errno" over "exit" in terms of clarity, I agree that it makes sense to be consistent with the field names across record types. "exit" works for me. >=20 > http://people.redhat.com/sgrubb/files/auformat.tar.gz >=20 > $ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat = "%EXIT\n" >=20 > Also, I am working to normalize all the records. That mean every event re= cord > of the same type has the same fields, in the same order, with the same > representation. I would think "exit" could be added to the current record= after > syscall so that its ordered similarly to a syscall record. This patch goes against your normalization efforts in more ways than just the placement of the "exit" field. If the action is SECCOMP_RET_KILL, a "sig" field is present but if the action is SECCOMP_RET_ERRNO, the "sig" field will not be present but the "errno" field will be present. This happens all within the AUDIT_SECCOMP record type. How would you suggest normalizing AUDIT_SECCOMP records for different seccomp return actions? Tyler >=20 > -Steve >=20 > > case SECCOMP_RET_KILL: > > audit_log_format(ab, " sig=3D%ld", info->signr); > > break; > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > > index 54c01b6..e99c566 100644 > > --- a/kernel/seccomp.c > > +++ b/kernel/seccomp.c > > @@ -576,9 +576,11 @@ static int __seccomp_filter(int this_syscall, const > > struct seccomp_data *sd, /* Set low-order bits as an errno, capped at > > MAX_ERRNO. */ > > if (data > MAX_ERRNO) > > data =3D MAX_ERRNO; > > + > > + audit_seccomp_errno(this_syscall, data, action); > > syscall_set_return_value(current, task_pt_regs(current), > > -data, 0); > > - goto skip; > > + return -1; > >=20 > > case SECCOMP_RET_TRAP: > > /* Show the handler the original registers. */ >=20 >=20 --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJYapEWAAoJENaSAD2qAscKmf4P/iCEG/i6xPkzks3gWDMrzPth wfTeouoC6usVLz/YUwSISj+N4spAaq/B89L63CufF1vgzR9g/HW1yaCBPuJLkOLW HRXVG+lY2Ez8HcYQ2KScTdRPhMIRRfJYbsnVPfaPU9mgQzbF+WUFO+76kk1Niq7d gJqMMWp4JQR73OkbCS6AYbEDPhFcusngDUuTHlV75s8nNDWgmyKw3OoV+iy6T3TD ZrIxsEtctqTCNyfECvvr4wRYt9A9cnj38/wW2F+1f3IhgSy5+yUOxBKNO0GiBaHO xQTrY9MeKorhvyoznVVip1TWQiwb1dKeLMScJBCmHzak2shKV/Qiq9lSODlOrZaG jq787WEo0nM+d7NGQdtKnDy1smK/aU1XF6Z3p/+5bnwm307/+ygD5cJJYJYNaRDW xYoB2MdPwY0/5wS1t0cn03xkaRsyO3lSmAHCuNjLZhqMMFvew4U/k+7uIy1wjrFZ IQPdwDDXy3epnpFCXqMWyqKvNWiHQyE5W3UTBeTY8GpA6Db8wuh0FoLLafM0LEnj r41yrCGe/R02rt4onSgJuACNw5NHBc6TbXwiTsXz6HoZDKIJ7WEX9BV6gXcSJnpS y+6Xvxs4eVj/f6w3iHeLwsY5Ie+g9RKXwBnYnN0D29Rlj3ASNQOjK1Kg5GiZwePn QI3Y6L+MGzt0LVWvlyb2 =C63y -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/--