Seccomp actions are not audited in the 4.8 kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
The following patch, released in v4.5, changed the auditing behavior of
seccomp:
commit 96368701e1c8905
Author: Paul Moore <email address hidden>
Date: Wed Jan 13 09:18:55 2016 -0500
audit: force seccomp event logging to honor the audit_enabled flag
In Ubuntu, where the audit subsystem is not enabled by default, it means that
seccomp actions are not logged unless the user has installed auditd or added
the audit=1 kernel command line parameter.
This impacts snap confinement in Yakkety because seccomp actions are no longer
audited which means that snap authors cannot easily know which restricted
system calls they're using.
To test, build the attached program:
$ sudo apt-get install libseccomp-dev
...
$ gcc -o test test.c -lseccomp
Run the program. It should be killed when calling open().
$ ./test
Bad system call
Now look in the syslog. In 4.4 kernels, there will be an audit record showing that the test program was killed because it called open() (syscall 2):
[666615.055437] audit: type=1326 audit(147447702
This audit record is not present in 4.8 kernels.
tags: | added: kernel-4.8 |
I've tested and submitted a quick fix to the kernel team:
https:/ /lists. ubuntu. com/archives/ kernel- team/2016- September/ 080066. html