Re: seccomp: dump core when using SECCOMP_RET_KILL

From: Paul Moore
Date: Sat Jan 28 2017 - 09:45:46 EST

On Fri, Jan 27, 2017 at 4:48 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> For logging, I think audit needs to grow fork-tracking, and/or have a
> new "is under seccomp" test that can be exposed to auditctl. Then the
> system owner can issue either "tell me about all seccomp kills" or
> "tell me about seccomp kills in this process tree". As such, I don't
> think we should be making filter-level changes to deal with the needs
> of seccomp logging.

I really don't want to see seccomp logging relying on special audit
functionality simply because there are people using seccomp that don't
use audit. Whatever we do with seccomp logging we need to make sure
it works okay~ish regardless of audit.

See some of the discussion around Tyler's last patchset.

paul moore