On Thu, Apr 27, 2017 at 3:17 PM, Tyler Hicks <tyhicks@xxxxxxxxxxxxx> wrote: > Quick update... I finished the move from the high-water mark > log_max_action sysctl to the bitmask based actions_logged sysctl. Awesome! > Unfortunately, I've just realized that SECCOMP_SET_LOGGING, or any > process-wide logging configuration mechanism, will not work. It is fine > for the situation where two unrelated processes set up seccomp filters > that should be logged differently. However, it fails when two closely > related processes, such as parent and child, need to set up seccomp > filters that should be logged differently. Imagine a launcher that sets > up an application sandbox (including a seccomp filter) and then launches > an electron app which will have its own seccomp filter for sandboxing > untrusted code that it runs. Unless the launcher and app completely > agree on actions that should be logged, the logging won't work as > intended for both processes. Oh, you mean the forked process sets up the logging it wants for the filters it just installed, then after exec a process sets up new logging requirements? > I think this needs to be configured at the filter level. I'm not sure that's even the right way to compose the logging desires. So, my initial thought was "whatever ran SECCOMP_SET_LOGGING knows what it's doing" and it should be the actual value. If the launcher wants logs of everything the application does with its filters, then a purely-tied-to-filter approach won't work either. Perhaps log bits can only be enabled? I.e. SECCOMP_SET_LOGGING performs an OR instead of an assignment? -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html