Re: Should audit_seccomp check audit_enabled?

From: Paul Moore
Date: Fri Oct 23 2015 - 15:38:13 EST


On Fri, Oct 23, 2015 at 1:01 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Fri, Oct 23, 2015 at 9:19 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> I would argue that, if auditing is off, audit_seccomp shouldn't do
>> anything. After all, unlike e.g. selinux, seccomp is not a systemwide
>> policy, and seccomp signals might be ordinary behavior that's internal
>> to the seccomp-using application. IOW, for people with audit compiled
>> in and subscribed by journald but switched off, I think that the
>> records shouldn't be emitted.
>>
>> If you agree, I can send the two-line patch.
>
> I think signr==0 states (which I would identify as "intended
> behavior") don't need to be reported under any situation, but audit
> folks wanted to keep it around.

Wearing my libseccomp hat, I would like some logging when the seccomp
filter triggers a result other than allow. I don't care if this is
via audit or printk(), I just want some notification. If we go the
printk route and people really don't want to see anything in their
logs, I suppose we could always add a sysctl knob to turn off the
message completely (we would still need to do whatever audit records
are required, see below).

Wearing my audit hat, I want to make sure we tick off all the right
boxes for the various certifications that people care about. Steve
Grubb has commented on what he needs in the past, although I'm not
sure it was on-list, so I'll ask him to repeat it here.

--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/