On Thu, Apr 27, 2017 at 3:17 PM, Tyler Hicks <tyhicks(a)canonical.com> wrote:
Quick update... I finished the move from the high-water mark
log_max_action sysctl to the bitmask based actions_logged sysctl.
Awesome!
Unfortunately, I've just realized that SECCOMP_SET_LOGGING, or
any
process-wide logging configuration mechanism, will not work. It is fine
for the situation where two unrelated processes set up seccomp filters
that should be logged differently. However, it fails when two closely
related processes, such as parent and child, need to set up seccomp
filters that should be logged differently. Imagine a launcher that sets
up an application sandbox (including a seccomp filter) and then launches
an electron app which will have its own seccomp filter for sandboxing
untrusted code that it runs. Unless the launcher and app completely
agree on actions that should be logged, the logging won't work as
intended for both processes.
Oh, you mean the forked process sets up the logging it wants for the
filters it just installed, then after exec a process sets up new
logging requirements?
I think this needs to be configured at the filter level.
I'm not sure that's even the right way to compose the logging desires.
So, my initial thought was "whatever ran SECCOMP_SET_LOGGING knows
what it's doing" and it should be the actual value.
If the launcher wants logs of everything the application does with its
filters, then a purely-tied-to-filter approach won't work either.
Perhaps log bits can only be enabled? I.e. SECCOMP_SET_LOGGING
performs an OR instead of an assignment?
-Kees
--
Kees Cook
Pixel Security