• Tyler Hicks's avatar
    seccomp: Sysctl to configure actions that are allowed to be logged · 0ddec0fc
    Tyler Hicks authored
    Adminstrators can write to this sysctl to set the seccomp actions that
    are allowed to be logged. Any actions not found in this sysctl will not
    be logged.
    
    For example, all SECCOMP_RET_KILL, SECCOMP_RET_TRAP, and
    SECCOMP_RET_ERRNO actions would be loggable if "kill trap errno" were
    written to the sysctl. SECCOMP_RET_TRACE actions would not be logged
    since its string representation ("trace") wasn't present in the sysctl
    value.
    
    The path to the sysctl is:
    
     /proc/sys/kernel/seccomp/actions_logged
    
    The actions_avail sysctl can be read to discover the valid action names
    that can be written to the actions_logged sysctl with the exception of
    "allow". SECCOMP_RET_ALLOW actions cannot be configured for logging.
    
    The default setting for the sysctl is to allow all actions to be logged
    except SECCOMP_RET_ALLOW. While only SECCOMP_RET_KILL actions are
    currently logged, an upcoming patch will allow applications to request
    additional actions to be logged.
    
    There's one important exception to this sysctl. If a task is
    specifically being audited, meaning that an audit context has been
    allocated for the task, seccomp will log all actions other than
    SECCOMP_RET_ALLOW despite the value of actions_logged. This exception
    preserves the existing auditing behavior of tasks with an allocated
    audit context.
    
    With this patch, the logic for deciding if an action will be logged is:
    
    if action == RET_ALLOW:
      do not log
    else if action == RET_KILL && RET_KILL in actions_logged:
      log
    else if audit_enabled && task-is-being-audited:
      log
    else:
      do not log
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    0ddec0fc
seccomp.c 29.7 KB