[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <23a0adb0-4db0-52aa-831e-36ceca466636@canonical.com>
Date: Fri, 11 Aug 2017 14:33:35 -0500
From: Tyler Hicks <tyhicks@...onical.com>
To: Kees Cook <keescook@...omium.org>
Cc: Andy Lutomirski <luto@...capital.net>,
Will Drewry <wad@...omium.org>,
Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...hat.com>,
John Crispin <john@...ozen.org>,
Tycho Andersen <tycho@...ker.com>, linux-audit@...hat.com,
LKML <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH v6 3/6] seccomp: Sysctl to configure actions that are
allowed to be logged
On 08/11/2017 02:17 PM, Kees Cook wrote:
> On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhicks@...onical.com> wrote:
>> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write,
>> + void __user *buffer, size_t *lenp,
>> + loff_t *ppos)
>> +{
>> + char names[sizeof(seccomp_actions_avail)];
>> + struct ctl_table table;
>> + int ret;
>> +
>> + if (write && !capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>> +
>> + memset(names, 0, sizeof(names));
>> +
>> + if (!write) {
>> + if (!seccomp_names_from_actions_logged(names, sizeof(names),
>> + seccomp_actions_logged))
>> + return -EINVAL;
>> + }
>> +
>> + table = *ro_table;
>> + table.data = names;
>> + table.maxlen = sizeof(names);
>> + ret = proc_dostring(&table, write, buffer, lenp, ppos);
>> + if (ret)
>> + return ret;
>> +
>> + if (write) {
>> + u32 actions_logged;
>> +
>> + if (!seccomp_actions_logged_from_names(&actions_logged,
>> + table.data))
>> + return -EINVAL;
>> +
>> + if (actions_logged & SECCOMP_LOG_ALLOW)
>> + return -EINVAL;
>> +
>> + seccomp_actions_logged = actions_logged;
>> + }
>> +
>> + return 0;
>> +}
>
> One thought here: should "kill" be always forced on during a write?
> This flag effectively cannot be disabled, so listing it (or not) in
> the sysctl may be confusing...
"kill" can be silenced in the current implementation. Lets hammer out
whether or not that's the right thing to do and then we can discuss the
sysctl behavior on write. I don't personally have any concerns about an
admin being able to silence RET_KILL logs but let me know if you are
against it.
Tyler
>
> -Kees
>
Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists