• Tyler Hicks's avatar
    seccomp: Action to log before allowing · 59f5cf44
    Tyler Hicks authored
    Add a new action, SECCOMP_RET_LOG, that logs a syscall before allowing
    the syscall. At the implementation level, this action is identical to
    the existing SECCOMP_RET_ALLOW action. However, it can be very useful when
    initially developing a seccomp filter for an application. The developer
    can set the default action to be SECCOMP_RET_LOG, maybe mark any
    obviously needed syscalls with SECCOMP_RET_ALLOW, and then put the
    application through its paces. A list of syscalls that triggered the
    default action (SECCOMP_RET_LOG) can be easily gleaned from the logs and
    that list can be used to build the syscall whitelist. Finally, the
    developer can change the default action to the desired value.
    
    This provides a more friendly experience than seeing the application get
    killed, then updating the filter and rebuilding the app, seeing the
    application get killed due to a different syscall, then updating the
    filter and rebuilding the app, etc.
    
    The functionality is similar to what's supported by the various LSMs.
    SELinux has permissive mode, AppArmor has complain mode, SMACK has
    bring-up mode, etc.
    
    SECCOMP_RET_LOG is given a lower value than SECCOMP_RET_ALLOW as allow
    while logging is slightly more restrictive than quietly allowing.
    
    Unfortunately, the tests added for SECCOMP_RET_LOG are not capable of
    inspecting the audit log to verify that the syscall was logged.
    
    With this patch, the logic for deciding if an action will be logged is:
    
    if action == RET_ALLOW:
      do not log
    else if action == RET_KILL && RET_KILL in actions_logged:
      log
    else if action == RET_LOG && RET_LOG in actions_logged:
      log
    else if filter-requests-logging && action in actions_logged:
      log
    else if audit_enabled && process-is-being-audited:
      log
    else:
      do not log
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    59f5cf44
seccomp_bpf.c 71.3 KB