Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

2018-05-02 Thread Tyler Hicks
On 05/01/2018 12:25 PM, Paul Moore wrote: > On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote: >> On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: >>> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: The decision to log a seccomp action

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

2018-05-01 Thread Paul Moore
On Tue, May 1, 2018 at 12:41 PM, Steve Grubb wrote: > On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: >> On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: >> > The decision to log a seccomp action will always be subject to the >> > value of

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

2018-05-01 Thread Steve Grubb
On Tuesday, May 1, 2018 11:18:55 AM EDT Paul Moore wrote: > On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: > > The decision to log a seccomp action will always be subject to the > > value of the kernel.seccomp.actions_logged sysctl, even for processes > > that are

Re: [PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

2018-05-01 Thread Paul Moore
On Fri, Apr 27, 2018 at 3:16 PM, Tyler Hicks wrote: > The decision to log a seccomp action will always be subject to the > value of the kernel.seccomp.actions_logged sysctl, even for processes > that are being inspected via the audit subsystem, in an upcoming patch. >

[PATCH 2/3] seccomp: Audit attempts to modify the actions_logged sysctl

2018-04-27 Thread Tyler Hicks
The decision to log a seccomp action will always be subject to the value of the kernel.seccomp.actions_logged sysctl, even for processes that are being inspected via the audit subsystem, in an upcoming patch. Therefore, we need to emit an audit record on attempts at writing to the actions_logged