seccomp: Sysctl to configure actions that are allowed to be logged

Adminstrators can write to this sysctl to set the seccomp actions that are allowed to be logged. Any actions not found in this sysctl will not be logged. For example, all SECCOMP_RET_KILL, SECCOMP_RET_TRAP, and SECCOMP_RET_ERRNO actions would be loggable if "kill trap errno" were written to the sysctl. SECCOMP_RET_TRACE actions would not be logged since its string representation ("trace") wasn't present in the sysctl value. The path to the sysctl is: /proc/sys/kernel/seccomp/actions_logged The actions_avail sysctl can be read to discover the valid action names that can be written to the actions_logged sysctl with the exception of "allow". SECCOMP_RET_ALLOW actions cannot be configured for logging. The default setting for the sysctl is to allow all actions to be logged except SECCOMP_RET_ALLOW. While only SECCOMP_RET_KILL actions are currently logged, an upcoming patch will allow applications to request additional actions to be logged. There's one important exception to this sysctl. If a task is specifically being audited, meaning that an audit context has been allocated for the task, seccomp will log all actions other than SECCOMP_RET_ALLOW despite the value of actions_logged. This exception preserves the existing auditing behavior of tasks with an allocated audit context. With this patch, the logic for deciding if an action will be logged is: if action == RET_ALLOW: do not log else if action == RET_KILL && RET_KILL in actions_logged: log else if audit_enabled && task-is-being-audited: log else: do not log Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org>
author: Tyler Hicks <tyhicks@canonical.com> 2017-08-11 00:33:54 -0400
committer: Kees Cook <keescook@chromium.org> 2017-08-14 16:46:45 -0400
commit: 0ddec0fc8900201c0897b87b762b7c420436662f (patch)
tree: d860565f915e9adcd57e113befc3d3bba7b3c085 /Documentation/userspace-api
parent: d612b1fd8010d0d67b5287fe146b8b55bcbb8655 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/Documentation/userspace-api/seccomp_filter.rst b/Documentation/userspace-api/seccomp_filter.rst
index 35fc7cbf1d95..2d1d8ab04ac5 100644
--- a/Documentation/userspace-api/seccomp_filter.rst
+++ b/Documentation/userspace-api/seccomp_filter.rst
@@ -187,6 +187,24 @@ directory. Here's a description of each file in that directory:
        program was built, differs from the set of actions actually
        supported in the current running kernel.
+``actions_logged``:
+        A read-write ordered list of seccomp return values (refer to the
+        ``SECCOMP_RET_*`` macros above) that are allowed to be logged. Writes
+        to the file do not need to be in ordered form but reads from the file
+        will be ordered in the same way as the actions_avail sysctl.
+        It is important to note that the value of ``actions_logged`` does not
+        prevent certain actions from being logged when the audit subsystem is
+        configured to audit a task. If the action is not found in
+        ``actions_logged`` list, the final decision on whether to audit the
+        action for that task is ultimately left up to the audit subsystem to
+        decide for all seccomp return values other than ``SECCOMP_RET_ALLOW``.
+        The ``allow`` string is not accepted in the ``actions_logged`` sysctl
+        as it is not possible to log ``SECCOMP_RET_ALLOW`` actions. Attempting
+        to write ``allow`` to the sysctl will result in an EINVAL being
+        returned.
 Adding architecture support
 ===========================
author	Tyler Hicks <tyhicks@canonical.com>	2017-08-11 00:33:54 -0400
committer	Kees Cook <keescook@chromium.org>	2017-08-14 16:46:45 -0400
commit	0ddec0fc8900201c0897b87b762b7c420436662f (patch)
tree	d860565f915e9adcd57e113befc3d3bba7b3c085 /Documentation/userspace-api
parent	d612b1fd8010d0d67b5287fe146b8b55bcbb8655 (diff)

diff --git a/Documentation/userspace-api/seccomp_filter.rst b/Documentation/userspace-api/seccomp_filter.rst index 35fc7cbf1d95..2d1d8ab04ac5 100644 --- a/Documentation/userspace-api/seccomp_filter.rst +++ b/Documentation/userspace-api/seccomp_filter.rst
@@ -187,6 +187,24 @@ directory. Here's a description of each file in that directory:
187	program was built, differs from the set of actions actually	187	program was built, differs from the set of actions actually
188	supported in the current running kernel.	188	supported in the current running kernel.
189		189
		190	``actions_logged``:
		191	A read-write ordered list of seccomp return values (refer to the
		192	``SECCOMP_RET_*`` macros above) that are allowed to be logged. Writes
		193	to the file do not need to be in ordered form but reads from the file
		194	will be ordered in the same way as the actions_avail sysctl.
		195
		196	It is important to note that the value of ``actions_logged`` does not
		197	prevent certain actions from being logged when the audit subsystem is
		198	configured to audit a task. If the action is not found in
		199	``actions_logged`` list, the final decision on whether to audit the
		200	action for that task is ultimately left up to the audit subsystem to
		201	decide for all seccomp return values other than ``SECCOMP_RET_ALLOW``.
		202
		203	The ``allow`` string is not accepted in the ``actions_logged`` sysctl
		204	as it is not possible to log ``SECCOMP_RET_ALLOW`` actions. Attempting
		205	to write ``allow`` to the sysctl will result in an EINVAL being
		206	returned.
		207
190	Adding architecture support	208	Adding architecture support
191	===========================	209	===========================
192		210