From: Paul Moore <pmoore@redhat.com>
To: Corey Bryant <coreyb@linux.vnet.ibm.com>, Will Drewry <wad@chromium.org>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, jmorris@namei.org,
otubo@linux.vnet.ibm.com, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH 1/3] seccomp: Add SECCOMP_RET_INFO return value
Date: Wed, 19 Dec 2012 10:28:42 -0500 [thread overview]
Message-ID: <34771527.GTMPbzeFu2@sifl> (raw)
In-Reply-To: <50D1D58D.6060408@linux.vnet.ibm.com>
On Wednesday, December 19, 2012 09:56:13 AM Corey Bryant wrote:
> On 12/18/2012 05:22 PM, Will Drewry wrote:
> > while others I've spoken with have been using the audit path to track
> > denied values -- not so great for soft-failures :)
>
> The audit path would work too but if I understand I think you can only
> learn one syscall per execution. The nice thing about SECCOMP_RET_INFO
> is that you can easily learn all the syscalls in one execution.
Another quick point about the audit log: on some systems, e.g. tightly secured
SELinux systems, the audit log is only accessible via a very privileged user
(Will hints at this below). Normal users do not have access to, and therefore
can't make use of, the seccomp related audit records.
> > That aside, I worry that pr_info is the wrong place for a random user
> > on the machine to log to for this, but I may be wrong, rather than a
> > dedicated ringbufffer, etc. So if this is for a user with privs, then
> > a SECCOMP_RET_AUDIT might make sense. Feedback to a local user seems
> > tricky in general. I don't know :) I just decided to deal with it in
> > userland even if it is slightly painful.
>
> That's a good point. I don't know which option is better either so if
> anyone else could weigh in on the better approach I'd appreciate it.
I agree with Will's statement about better to deal with the problem in
userspace when possible, but as Corey pointed out, our experiences with QEMU
have demonstrated that dealing with the problem exclusively in userspace just
isn't practical in every case.
Syslog might not be the answer, but RET_TRAP and the audit log aren't very
good answers either.
--
paul moore
security and virtualization @ redhat
prev parent reply other threads:[~2012-12-19 15:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-18 21:50 [PATCH 1/3] seccomp: Add SECCOMP_RET_INFO return value Corey Bryant
2012-12-18 22:22 ` Will Drewry
2012-12-19 14:56 ` Corey Bryant
2012-12-19 15:28 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34771527.GTMPbzeFu2@sifl \
--to=pmoore@redhat.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=otubo@linux.vnet.ibm.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox