xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

seccomp: Sysctl to configure actions that are allowed to be logged

Browse Source 
Adminstrators can write to this sysctl to set the seccomp actions that
are allowed to be logged. Any actions not found in this sysctl will not
be logged.

For example, all SECCOMP_RET_KILL, SECCOMP_RET_TRAP, and
SECCOMP_RET_ERRNO actions would be loggable if "kill trap errno" were
written to the sysctl. SECCOMP_RET_TRACE actions would not be logged
since its string representation ("trace") wasn't present in the sysctl
value.

The path to the sysctl is:

 /proc/sys/kernel/seccomp/actions_logged

The actions_avail sysctl can be read to discover the valid action names
that can be written to the actions_logged sysctl with the exception of
"allow". SECCOMP_RET_ALLOW actions cannot be configured for logging.

The default setting for the sysctl is to allow all actions to be logged
except SECCOMP_RET_ALLOW. While only SECCOMP_RET_KILL actions are
currently logged, an upcoming patch will allow applications to request
additional actions to be logged.

There's one important exception to this sysctl. If a task is
specifically being audited, meaning that an audit context has been
allocated for the task, seccomp will log all actions other than
SECCOMP_RET_ALLOW despite the value of actions_logged. This exception
preserves the existing auditing behavior of tasks with an allocated
audit context.

With this patch, the logic for deciding if an action will be logged is:

if action == RET_ALLOW:
  do not log
else if action == RET_KILL && RET_KILL in actions_logged:
  log
else if audit_enabled && task-is-being-audited:
  log
else:
  do not log

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Tyler Hicks
2017-08-11 04:33:54 +00:00
committed by Kees Cook
parent d612b1fd80
commit 0ddec0fc89
3 changed files with 187 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Documentation/userspace-api/seccomp_filter.rst
View File

@@ -187,6 +187,24 @@ directory. Here's a description of each file in that directory:
program was built, differs from the set of actions actually
supported in the current running kernel.
``actions_logged``:
A read-write ordered list of seccomp return values (refer to the
``SECCOMP_RET_*`` macros above) that are allowed to be logged. Writes
to the file do not need to be in ordered form but reads from the file
will be ordered in the same way as the actions_avail sysctl.
It is important to note that the value of ``actions_logged`` does not
prevent certain actions from being logged when the audit subsystem is
configured to audit a task. If the action is not found in
``actions_logged`` list, the final decision on whether to audit the
action for that task is ultimately left up to the audit subsystem to
decide for all seccomp return values other than ``SECCOMP_RET_ALLOW``.
The ``allow`` string is not accepted in the ``actions_logged`` sysctl
as it is not possible to log ``SECCOMP_RET_ALLOW`` actions. Attempting
to write ``allow`` to the sysctl will result in an EINVAL being
returned.
Adding architecture support
===========================