Re: [PATCH v2 4/4] seccomp: Don't special case audited processes when logging

From: Kees Cook
Date: Wed May 02 2018 - 12:57:18 EST


On Wed, May 2, 2018 at 8:53 AM, Tyler Hicks <tyhicks@xxxxxxxxxxxxx> wrote:
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index da78835..9029d9d 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -584,18 +584,13 @@ static inline void seccomp_log(unsigned long syscall, long signr, u32 action,
> }
>
> /*
> - * Force an audit message to be emitted when the action is RET_KILL_*,
> - * RET_LOG, or the FILTER_FLAG_LOG bit was set and the action is
> - * allowed to be logged by the admin.
> + * Emit an audit message when the action is RET_KILL_*, RET_LOG, or the
> + * FILTER_FLAG_LOG bit was set. The admin has the ability to silence
> + * any action from being logged by removing the action name from the
> + * seccomp_actions_logged sysctl.
> */
> if (log)
> - return __audit_seccomp(syscall, signr, action);
> -
> - /*
> - * Let the audit subsystem decide if the action should be audited based
> - * on whether the current task itself is being audited.
> - */
> - return audit_seccomp(syscall, signr, action);
> + audit_seccomp(syscall, signr, action);
> }

This whole series looks great to me. If I can get an Ack from Paul for
the audit bits, I can take it via the seccomp tree. One minor nit on
seccomp_log() above, I'd probably change this to show the "exception"
case as "out of line" of normal code flow. i.e. instead of "if (log)
audit_seccomp", invert it to return early:

...
if (!log)
return;

audit_seccomp(syscall, signr, action);
}

But if there isn't some other need for a v3, I can just make this
change when I commit.

Thanks for fixing this up!

-Kees

--
Kees Cook
Pixel Security