| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jan 2017 09:35:35 -0500
From: Paul Moore <paul@...l-moore.com>
To: Kees Cook <keescook@...omium.org>
Cc: Mike Frysinger <vapier@...too.org>,
LKML <linux-kernel@...r.kernel.org>,
Andrei Vagin <avagin@...tuozzo.com>,
Andy Lutomirski <luto@...capital.net>,
Will Drewry <wad@...omium.org>,
Mike Frysinger <vapier@...omium.org>,
Tyler Hicks <tyhicks@...onical.com>,
linux-security-module <linux-security-module@...r.kernel.org>,
James Morris <james.l.morris@...cle.com>
Subject: Re: seccomp: dump core when using SECCOMP_RET_KILL
On Fri, Jan 27, 2017 at 4:48 PM, Kees Cook <keescook@...omium.org> wrote:
> For logging, I think audit needs to grow fork-tracking, and/or have a
> new "is under seccomp" test that can be exposed to auditctl. Then the
> system owner can issue either "tell me about all seccomp kills" or
> "tell me about seccomp kills in this process tree". As such, I don't
> think we should be making filter-level changes to deal with the needs
> of seccomp logging.
I really don't want to see seccomp logging relying on special audit
functionality simply because there are people using seccomp that don't
use audit. Whatever we do with seccomp logging we need to make sure
it works okay~ish regardless of audit.
See some of the discussion around Tyler's last patchset.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists