I've tested and submitted a quick fix to the kernel team:

  https://lists.ubuntu.com/archives/kernel-
team/2016-September/080066.html

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1626194

Title:
  Seccomp actions are not audited in the 4.8 kernel

Status in linux package in Ubuntu:
  In Progress

Bug description:
  The following patch, released in v4.5, changed the auditing behavior of
  seccomp:

    commit 96368701e1c89057bbf39222e965161c68a85b4b
    Author: Paul Moore <pmo...@redhat.com>
    Date:   Wed Jan 13 09:18:55 2016 -0500

        audit: force seccomp event logging to honor the audit_enabled
  flag

  In Ubuntu, where the audit subsystem is not enabled by default, it means that
  seccomp actions are not logged unless the user has installed auditd or added
  the audit=1 kernel command line parameter.

  This impacts snap confinement in Yakkety because seccomp actions are no longer
  audited which means that snap authors cannot easily know which restricted
  system calls they're using.

  To test, build the attached program:

   $ sudo apt-get install libseccomp-dev
   ...
   $ gcc -o test test.c -lseccomp

  Run the program. It should be killed when calling open().

   $ ./test
   Bad system call

  Now look in the syslog. In 4.4 kernels, there will be an audit record
  showing that the test program was killed because it called open()
  (syscall 2):

    [666615.055437] audit: type=1326 audit(1474477027.391:261):
  auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=12546 comm="test"
  exe="/tmp/seccomp-log/test" sig=31 arch=c000003e syscall=2 compat=0
  ip=0x7fde77e45790 code=0x0

  This audit record is not present in 4.8 kernels.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1626194/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to