[PATCH] UBUNTU: SAUCE: seccomp: log actions even when audit is disabled

Tyler Hicks tyhicks at canonical.com
Wed Sep 21 18:07:12 UTC 2016


On 09/21/2016 01:04 PM, Tyler Hicks wrote:
> https://launchpad.net/bugs/1626194
> 
> Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the
> auditing behavior of seccomp so that actions are only logged when the
> audit subsystem is enabled. A default install of Ubuntu does not include
> the audit userspace and simply enabling the audit subsystem, without
> filtering some audit events, would result in more audit records hitting
> the system log than usual.
> 
> This patch undoes the functional change in upstream commit
> 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old
> behavior of logging seccomp actions even when audit is not enabled.

I'm going to be working with upstream on some seccomp logging changes
and will get this issue sorted out, as well. In the meantime, we need to
re-enable this basic logging functionality so that snap confinement
isn't silently killing snap processes without the snap developer being
able to debug which syscall was at fault.

Tyler

> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  include/linux/audit.h | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 9d4443f..1737be6 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -315,9 +315,6 @@ void audit_core_dumps(long signr);
>  
>  static inline void audit_seccomp(unsigned long syscall, long signr, int code)
>  {
> -	if (!audit_enabled)
> -		return;
> -
>  	/* Force a record to be reported if a signal was delivered. */
>  	if (signr || unlikely(!audit_dummy_context()))
>  		__audit_seccomp(syscall, signr, code);
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20160921/45d1d956/attachment.sig>


More information about the kernel-team mailing list