[PATCH v3 1/4] seccomp: Separate read and write code for actions_logged sysctl

parameter evaluates to true. Signed-off-by: Tyler Hicks --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/kernel/seccomp.c ++

[PATCH v3 4/4] seccomp: Don't special case audited processes when logging

Signed-off-by: Tyler Hicks --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 14 +- kernel/seccomp.c | 17 +++-- 4 fi

[PATCH v3 0/4] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action. A

[PATCH v3 2/4] seccomp: Configurable separator for the actions_logged string

. Signed-off-by: Tyler Hicks --- kernel/seccomp.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f4afe67..b36ac1e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1135,10 +1135,11 @@ static const struct seccomp_log_name

[PATCH v3 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

enerated when reading the actions_logged sysctl. Suggested-by: Steve Grubb Signed-off-by: Tyler Hicks --- include/linux/audit.h | 5 + kernel/auditsc.c | 20 ++ kernel/seccomp.c | 58 +++ 3 files changed, 74 insertions(+)

Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/03/2018 04:12 PM, Steve Grubb wrote: > On Thursday, May 3, 2018 4:51:36 PM EDT Tyler Hicks wrote: >> On 05/03/2018 03:48 PM, Paul Moore wrote: >>> On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote: >>>> On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote:

Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/03/2018 03:48 PM, Paul Moore wrote: > On Thu, May 3, 2018 at 4:42 PM, Steve Grubb wrote: >> On Thursday, May 3, 2018 4:18:26 PM EDT Paul Moore wrote: >>> On Wed, May 2, 2018 at 2:18 PM, Steve Grubb wrote: >>>> On Wednesday, May 2, 2018 11:53:19 AM EDT Tyler H

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

On 05/01/2018 12:25 PM, Paul Moore wrote: > On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote: >> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: >>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: >>>> The decision to log a seccomp action will alway

[PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl

ill_process,kill_thread,errno,trace,log res=1 No audit records are generated when reading the actions_logged sysctl. Suggested-by: Steve Grubb Signed-off-by: Tyler Hicks --- include/linux/audit.h | 5 + kernel/auditsc.c | 25 + kernel/seccomp.c | 51

[PATCH v2 4/4] seccomp: Don't special case audited processes when logging

Signed-off-by: Tyler Hicks --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 14 +- kernel/seccomp.c | 15 +-- 4 fi

[PATCH v2 2/4] seccomp: Configurable separator for the actions_logged string

. Signed-off-by: Tyler Hicks --- kernel/seccomp.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index f4afe67..b36ac1e 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1135,10 +1135,11 @@ static const struct seccomp_log_name

[PATCH v2 1/4] seccomp: Separate read and write code for actions_logged sysctl

parameter evaluates to true. Signed-off-by: Tyler Hicks --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/kernel/seccomp.c ++

[PATCH v2 0/4] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action. A

[PATCH 0/3] Better integrate seccomp logging and auditing

Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action. A

[PATCH 1/3] seccomp: Separate read and write code for actions_logged sysctl

parameter evaluates to true. Signed-off-by: Tyler Hicks --- kernel/seccomp.c | 60 +++- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548..f4afe67 100644 --- a/kernel/seccomp.c ++

[PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

, results in the same value as the previous example for the actions field: type=CONFIG_CHANGE msg=audit(1524601204.365:152): pid=1704 uid=0 auid=1000 tty=pts8 ses=1 comm="tee" exe="/usr/bin/tee" op=seccomp-logging actions="kill_process kill_thread errno trace log"

[PATCH 3/3] seccomp: Don't special case audited processes when logging

Signed-off-by: Tyler Hicks --- Documentation/userspace-api/seccomp_filter.rst | 7 --- include/linux/audit.h | 10 +- kernel/auditsc.c | 2 +- kernel/seccomp.c | 15 +-- 4 files change

[PATCH] Documentation: Fix linux-api list typo

A Japanese translation file contained the incorrect email address for the linux-api list. Signed-off-by: Tyler Hicks --- I was unlucky enough to copy and paste this invalid address from `git grep linux-api Documentation` output, resulting in a patch set that bounced. Documentation