Message ID | 1474481075-17457-1-git-send-email-tyhicks@canonical.com |
---|---|
State | New |
Headers | show |
On 09/21/2016 01:04 PM, Tyler Hicks wrote: > https://launchpad.net/bugs/1626194 > > Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the > auditing behavior of seccomp so that actions are only logged when the > audit subsystem is enabled. A default install of Ubuntu does not include > the audit userspace and simply enabling the audit subsystem, without > filtering some audit events, would result in more audit records hitting > the system log than usual. > > This patch undoes the functional change in upstream commit > 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old > behavior of logging seccomp actions even when audit is not enabled. I'm going to be working with upstream on some seccomp logging changes and will get this issue sorted out, as well. In the meantime, we need to re-enable this basic logging functionality so that snap confinement isn't silently killing snap processes without the snap developer being able to debug which syscall was at fault. Tyler > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > --- > include/linux/audit.h | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9d4443f..1737be6 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -315,9 +315,6 @@ void audit_core_dumps(long signr); > > static inline void audit_seccomp(unsigned long syscall, long signr, int code) > { > - if (!audit_enabled) > - return; > - > /* Force a record to be reported if a signal was delivered. */ > if (signr || unlikely(!audit_dummy_context())) > __audit_seccomp(syscall, signr, code); >
On 09/21/2016 01:04 PM, Tyler Hicks wrote: > https://launchpad.net/bugs/1626194 > > Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the > auditing behavior of seccomp so that actions are only logged when the > audit subsystem is enabled. A default install of Ubuntu does not include > the audit userspace and simply enabling the audit subsystem, without > filtering some audit events, would result in more audit records hitting > the system log than usual. > > This patch undoes the functional change in upstream commit > 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old > behavior of logging seccomp actions even when audit is not enabled. This is intended for the Yakkety 4.8 kernel only. Sorry for the missing [Yakkety] tag in the subject. Tyler > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > --- > include/linux/audit.h | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9d4443f..1737be6 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -315,9 +315,6 @@ void audit_core_dumps(long signr); > > static inline void audit_seccomp(unsigned long syscall, long signr, int code) > { > - if (!audit_enabled) > - return; > - > /* Force a record to be reported if a signal was delivered. */ > if (signr || unlikely(!audit_dummy_context())) > __audit_seccomp(syscall, signr, code); >
On 09/21/2016 12:04 PM, Tyler Hicks wrote: > https://launchpad.net/bugs/1626194 > > Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the > auditing behavior of seccomp so that actions are only logged when the > audit subsystem is enabled. A default install of Ubuntu does not include > the audit userspace and simply enabling the audit subsystem, without > filtering some audit events, would result in more audit records hitting > the system log than usual. > > This patch undoes the functional change in upstream commit > 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old > behavior of logging seccomp actions even when audit is not enabled. > > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> > --- > include/linux/audit.h | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9d4443f..1737be6 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -315,9 +315,6 @@ void audit_core_dumps(long signr); > > static inline void audit_seccomp(unsigned long syscall, long signr, int code) > { > - if (!audit_enabled) > - return; > - > /* Force a record to be reported if a signal was delivered. */ > if (signr || unlikely(!audit_dummy_context())) > __audit_seccomp(syscall, signr, code); > Tyler - this appears to have already been applied to Yakkety master-next. rtg
On 09/21/2016 01:17 PM, Tim Gardner wrote: > On 09/21/2016 12:04 PM, Tyler Hicks wrote: >> https://launchpad.net/bugs/1626194 >> >> Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the >> auditing behavior of seccomp so that actions are only logged when the >> audit subsystem is enabled. A default install of Ubuntu does not include >> the audit userspace and simply enabling the audit subsystem, without >> filtering some audit events, would result in more audit records hitting >> the system log than usual. >> >> This patch undoes the functional change in upstream commit >> 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old >> behavior of logging seccomp actions even when audit is not enabled. >> >> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> >> --- >> include/linux/audit.h | 3 --- >> 1 file changed, 3 deletions(-) >> >> diff --git a/include/linux/audit.h b/include/linux/audit.h >> index 9d4443f..1737be6 100644 >> --- a/include/linux/audit.h >> +++ b/include/linux/audit.h >> @@ -315,9 +315,6 @@ void audit_core_dumps(long signr); >> >> static inline void audit_seccomp(unsigned long syscall, long signr, int code) >> { >> - if (!audit_enabled) >> - return; >> - >> /* Force a record to be reported if a signal was delivered. */ >> if (signr || unlikely(!audit_dummy_context())) >> __audit_seccomp(syscall, signr, code); >> > > Tyler - this appears to have already been applied to Yakkety master-next. > > rtg > Never mind, it helps to be in the right repo. rtg
diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d4443f..1737be6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -315,9 +315,6 @@ void audit_core_dumps(long signr); static inline void audit_seccomp(unsigned long syscall, long signr, int code) { - if (!audit_enabled) - return; - /* Force a record to be reported if a signal was delivered. */ if (signr || unlikely(!audit_dummy_context())) __audit_seccomp(syscall, signr, code);
https://launchpad.net/bugs/1626194 Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the auditing behavior of seccomp so that actions are only logged when the audit subsystem is enabled. A default install of Ubuntu does not include the audit userspace and simply enabling the audit subsystem, without filtering some audit events, would result in more audit records hitting the system log than usual. This patch undoes the functional change in upstream commit 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old behavior of logging seccomp actions even when audit is not enabled. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> --- include/linux/audit.h | 3 --- 1 file changed, 3 deletions(-)