• Tyler Hicks's avatar
    seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW · e66a3997
    Tyler Hicks authored
    Add a new filter flag, SECCOMP_FILTER_FLAG_LOG, that enables logging for
    all actions except for SECCOMP_RET_ALLOW for the given filter.
    
    SECCOMP_RET_KILL actions are always logged, when "kill" is in the
    actions_logged sysctl, and SECCOMP_RET_ALLOW actions are never logged,
    regardless of this flag.
    
    This flag can be used to create noisy filters that result in all
    non-allowed actions to be logged. A process may have one noisy filter,
    which is loaded with this flag, as well as a quiet filter that's not
    loaded with this flag. This allows for the actions in a set of filters
    to be selectively conveyed to the admin.
    
    Since a system could have a large number of allocated seccomp_filter
    structs, struct packing was taken in consideration. On 64 bit x86, the
    new log member takes up one byte of an existing four byte hole in the
    struct. On 32 bit x86, the new log member creates a new four byte hole
    (unavoidable) and consumes one of those bytes.
    
    Unfortunately, the tests added for SECCOMP_FILTER_FLAG_LOG are not
    capable of inspecting the audit log to verify that the actions taken in
    the filter were logged.
    
    With this patch, the logic for deciding if an action will be logged is:
    
    if action == RET_ALLOW:
      do not log
    else if action == RET_KILL && RET_KILL in actions_logged:
      log
    else if filter-requests-logging && action in actions_logged:
      log
    else if audit_enabled && process-is-being-audited:
      log
    else:
      do not log
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    e66a3997
seccomp_bpf.c 68.6 KB