]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit
projects / mirror_ubuntu-artful-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8ac8bbe) | patch
seccomp: Action to log before allowing
authorTyler Hicks <tyhicks@canonical.com>
Fri, 11 Aug 2017 04:33:57 +0000 (04:33 +0000)
committerSeth Forshee <seth.forshee@canonical.com>
Tue, 5 Sep 2017 12:35:00 +0000 (07:35 -0500)
commit4267083ebca423dd72337786f29dd39cbed474e9
tree5e6f358d99a9439c4e065fd2ae2224e61b20fb69tree
parent8ac8bbe1f5db5303376f7f5c91c5f3964b87500bcommit | diff
seccomp: Action to log before allowing

https://launchpad.net/bugs/1567597

Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing
the syscall. At the implementation level, this action is identical to
the existing SECCOMP_RET_ALLOW action. However, it can be very useful when
initially developing a seccomp filter for an application. The developer
can set the default action to be SECCOMP_RET_LOG, maybe mark any
obviously needed syscalls with SECCOMP_RET_ALLOW, and then put the
application through its paces. A list of syscalls that triggered the
default action (SECCOMP_RET_LOG) can be easily gleaned from the logs and
that list can be used to build the syscall whitelist. Finally, the
developer can change the default action to the desired value.

This provides a more friendly experience than seeing the application get
killed, then updating the filter and rebuilding the app, seeing the
application get killed due to a different syscall, then updating the
filter and rebuilding the app, etc.

The functionality is similar to what's supported by the various LSMs.
SELinux has permissive mode, AppArmor has complain mode, SMACK has
bring-up mode, etc.

SECCOMP_RET_LOG is given a lower value than SECCOMP_RET_ALLOW as allow
while logging is slightly more restrictive than quietly allowing.

Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of
inspecting the audit log to verify that the syscall was logged.

With this patch, the logic for deciding if an action will be logged is:

if action == RET_ALLOW:
  do not log
else if action == RET_KILL && RET_KILL in actions_logged:
  log
else if action == RET_LOG && RET_LOG in actions_logged:
  log
else if filter-requests-logging && action in actions_logged:
  log
else if audit_enabled && process-is-being-audited:
  log
else:
  do not log

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
(cherry picked from commit 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 linux-next)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Documentation/userspace-api/seccomp_filter.rst diff | blob | blame | history
include/uapi/linux/seccomp.h diff | blob | blame | history
kernel/seccomp.c diff | blob | blame | history
tools/testing/selftests/seccomp/seccomp_bpf.c diff | blob | blame | history
Ubuntu Artful kernel mirror