Re: [PATCH v6 3/6] seccomp: Sysctl to configure actions that are allowed to be logged

From: Tyler Hicks
Date: Fri Aug 11 2017 - 15:33:49 EST


On 08/11/2017 02:17 PM, Kees Cook wrote:
> On Thu, Aug 10, 2017 at 9:33 PM, Tyler Hicks <tyhicks@xxxxxxxxxxxxx> wrote:
>> +static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write,
>> + void __user *buffer, size_t *lenp,
>> + loff_t *ppos)
>> +{
>> + char names[sizeof(seccomp_actions_avail)];
>> + struct ctl_table table;
>> + int ret;
>> +
>> + if (write && !capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>> +
>> + memset(names, 0, sizeof(names));
>> +
>> + if (!write) {
>> + if (!seccomp_names_from_actions_logged(names, sizeof(names),
>> + seccomp_actions_logged))
>> + return -EINVAL;
>> + }
>> +
>> + table = *ro_table;
>> + table.data = names;
>> + table.maxlen = sizeof(names);
>> + ret = proc_dostring(&table, write, buffer, lenp, ppos);
>> + if (ret)
>> + return ret;
>> +
>> + if (write) {
>> + u32 actions_logged;
>> +
>> + if (!seccomp_actions_logged_from_names(&actions_logged,
>> + table.data))
>> + return -EINVAL;
>> +
>> + if (actions_logged & SECCOMP_LOG_ALLOW)
>> + return -EINVAL;
>> +
>> + seccomp_actions_logged = actions_logged;
>> + }
>> +
>> + return 0;
>> +}
>
> One thought here: should "kill" be always forced on during a write?
> This flag effectively cannot be disabled, so listing it (or not) in
> the sysctl may be confusing...

"kill" can be silenced in the current implementation. Lets hammer out
whether or not that's the right thing to do and then we can discuss the
sysctl behavior on write. I don't personally have any concerns about an
admin being able to silence RET_KILL logs but let me know if you are
against it.

Tyler

>
> -Kees
>


Attachment: signature.asc
Description: OpenPGP digital signature