RFE: expose improved kernel logging features through libseccomp

doc/man/man3/seccomp_api_get.3

@@ -47,6 +47,9 @@ The SCMP_FLTATR_CTL_TSYNC filter attribute is supported and libseccomp uses
 the
 .BR seccomp(2)
 syscall to load the seccomp filter into the kernel.
+.TP
+.B 3
+The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are supported.
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////

doc/man/man3/seccomp_attr_set.3

@@ -86,6 +86,14 @@ specific syscall invocations, see
 for more information.  Defaults to off (
 .I value
 == 0).
+.TP
+.B SCMP_FLTATR_CTL_LOG
+A flag to specify if the kernel should log all filter actions taken except for
+the
+.BR SCMP_ACT_ALLOW
+action. Defaults to off (
+.I value
+== 0).
 .\" //////////////////////////////////////////////////////////////////////////
 .SH RETURN VALUE
 .\" //////////////////////////////////////////////////////////////////////////

doc/man/man3/seccomp_init.3

@@ -79,6 +79,11 @@ can be retrieved using the
 .B PTRACE_GETEVENTMSG
 option.
 .TP
+.B SCMP_ACT_LOG
+The seccomp filter will have no effect on the thread calling the syscall if it
+does not match any of the configured seccomp filter rules but the syscall will
+be logged.
+.TP
 .B SCMP_ACT_ALLOW
 The seccomp filter will have no effect on the thread calling the syscall if it
 does not match any of the configured seccomp filter rules.

doc/man/man3/seccomp_rule_add.3

@@ -133,6 +133,10 @@ can be retrieved using the
 .B PTRACE_GETEVENTMSG
 option.
 .TP
+.B SCMP_ACT_LOG
+The seccomp filter will have no effect on the thread calling the syscall if it
+matches the filter rule but the syscall will be logged.
+.TP
 .B SCMP_ACT_ALLOW
 The seccomp filter will have no effect on the thread calling the syscall if it
 matches the filter rule.

include/seccomp.h.in

@@ -64,6 +64,7 @@ enum scmp_filter_attr {
 	SCMP_FLTATR_CTL_NNP = 3,	/**< set NO_NEW_PRIVS on filter load */
 	SCMP_FLTATR_CTL_TSYNC = 4,	/**< sync threads on filter load */
 	SCMP_FLTATR_API_TSKIP = 5,	/**< allow rules with a -1 syscall */
+	SCMP_FLTATR_CTL_LOG = 6,	/**< log not-allowed actions */
 	_SCMP_FLTATR_MAX,
 };
 
@@ -256,6 +257,10 @@ struct scmp_arg_cmp {
  * Notify a tracing process with the specified value
  */
 #define SCMP_ACT_TRACE(x)	(0x7ff00000U | ((x) & 0x0000ffffU))
+/**
+ * Allow the syscall to be executed after the action has been logged
+ */
+#define SCMP_ACT_LOG		0x7ffc0000U
 /**
  * Allow the syscall to be executed
  */
@@ -290,6 +295,8 @@ const struct scmp_version *seccomp_version(void);
  *  1 : base level
  *  2 : support for the SCMP_FLTATR_CTL_TSYNC filter attribute
  *      uses the seccomp(2) syscall instead of the prctl(2) syscall
+ *  3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
+ *      support for the SCMP_ACT_LOG action
  *
  */
 const unsigned int seccomp_api_get(void);

src/api.c

@@ -102,6 +102,12 @@ static unsigned int _seccomp_api_update(void)
 	    sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC) == 1)
 		level = 2;
 
+	/* level 3 */
+	if (level == 2 &&
+	    sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG) == 1 &&
+	    sys_chk_seccomp_action(SCMP_ACT_LOG) == 1)
+		level = 3;
+
 	/* update the stored api level and return */
 	seccomp_api_level = level;
 	return seccomp_api_level;
@@ -127,10 +133,20 @@ API int seccomp_api_set(unsigned int level)
 	case 1:
 		sys_set_seccomp_syscall(false);
 		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, false);
+		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false);
+		sys_set_seccomp_action(SCMP_ACT_LOG, false);
 		break;
 	case 2:
 		sys_set_seccomp_syscall(true);
 		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
+		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, false);
+		sys_set_seccomp_action(SCMP_ACT_LOG, false);
+		break;
+	case 3:
+		sys_set_seccomp_syscall(true);
+		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
+		sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
+		sys_set_seccomp_action(SCMP_ACT_LOG, true);
 		break;
 	default:
 		return -EINVAL;

src/db.c

@@ -660,18 +660,8 @@ void db_col_release(struct db_filter_col *col)
  */
 int db_action_valid(uint32_t action)
 {
-	if (action == SCMP_ACT_KILL)
+	if (sys_chk_seccomp_action(action) == 1)
 		return 0;
-	else if (action == SCMP_ACT_TRAP)
-		return 0;
-	else if ((action == SCMP_ACT_ERRNO(action & 0x0000ffff)) &&
-		 ((action & 0x0000ffff) < MAX_ERRNO))
-		return 0;
-	else if (action == SCMP_ACT_TRACE(action & 0x0000ffff))
-		return 0;
-	else if (action == SCMP_ACT_ALLOW)
-		return 0;
-
 	return -EINVAL;
 }
 
@@ -792,6 +782,9 @@ int db_col_attr_get(const struct db_filter_col *col,
 	case SCMP_FLTATR_API_TSKIP:
 		*value = col->attr.api_tskip;
 		break;
+	case SCMP_FLTATR_CTL_LOG:
+		*value = col->attr.log_enable;
+		break;
 	default:
 		rc = -EEXIST;
 		break;
@@ -842,6 +835,17 @@ int db_col_attr_set(struct db_filter_col *col,
 	case SCMP_FLTATR_API_TSKIP:
 		col->attr.api_tskip = (value ? 1 : 0);
 		break;
+	case SCMP_FLTATR_CTL_LOG:
+		rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_LOG);
+		if (rc == 1) {
+			/* supported */
+			rc = 0;
+			col->attr.log_enable = (value ? 1 : 0);
+		} else if (rc == 0) {
+			/* unsupported */
+			rc = -EOPNOTSUPP;
+		}
+		break;
 	default:
 		rc = -EEXIST;
 		break;

src/db.h

@@ -139,6 +139,8 @@ struct db_filter_attr {
 	uint32_t tsync_enable;
 	/* allow rules with a -1 syscall value */
 	uint32_t api_tskip;
+	/* SECCOMP_FILTER_FLAG_LOG related attributes */
+	uint32_t log_enable;
 };
 
 struct db_filter {

src/gen_pfc.c

@@ -130,6 +130,9 @@ static void _pfc_action(FILE *fds, uint32_t action)
 	case SCMP_ACT_TRACE(0):
 		fprintf(fds, "action TRACE(%u);\n", (action & 0x0000ffff));
 		break;
+	case SCMP_ACT_LOG:
+		fprintf(fds, "action LOG;\n");
+		break;
 	case SCMP_ACT_ALLOW:
 		fprintf(fds, "action ALLOW;\n");
 		break;

src/python/libseccomp.pxd

@@ -57,6 +57,7 @@ cdef extern from "seccomp.h":
         SCMP_FLTATR_CTL_NNP
         SCMP_FLTATR_CTL_TSYNC
         SCMP_FLTATR_API_TSKIP
+        SCMP_FLTATR_CTL_LOG
 
     cdef enum scmp_compare:
         SCMP_CMP_NE
@@ -70,6 +71,7 @@ cdef extern from "seccomp.h":
     cdef enum:
         SCMP_ACT_KILL
         SCMP_ACT_TRAP
+        SCMP_ACT_LOG
         SCMP_ACT_ALLOW
     unsigned int SCMP_ACT_ERRNO(int errno)
     unsigned int SCMP_ACT_TRACE(int value)

src/python/seccomp.pyx

@@ -30,6 +30,7 @@ by application developers.
 
 Filter action values:
     KILL - kill the process
+    LOG - allow the syscall to be executed after the action has been logged
     ALLOW - allow the syscall to execute
     TRAP - a SIGSYS signal will be thrown
     ERRNO(x) - syscall will return (x)
@@ -95,6 +96,7 @@ def c_str(string):
 
 KILL = libseccomp.SCMP_ACT_KILL
 TRAP = libseccomp.SCMP_ACT_TRAP
+LOG = libseccomp.SCMP_ACT_LOG
 ALLOW = libseccomp.SCMP_ACT_ALLOW
 def ERRNO(int errno):
     """The action ERRNO(x) means that the syscall will return (x).
@@ -303,6 +305,7 @@ cdef class Attr:
     CTL_NNP = libseccomp.SCMP_FLTATR_CTL_NNP
     CTL_TSYNC = libseccomp.SCMP_FLTATR_CTL_TSYNC
     API_TSKIP = libseccomp.SCMP_FLTATR_API_TSKIP
+    CTL_LOG = libseccomp.SCMP_FLTATR_CTL_LOG
 
 cdef class Arg:
     """ Python object representing a SyscallFilter syscall argument.
@@ -542,7 +545,7 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), or ALLOW
+        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
 
@@ -624,7 +627,7 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), or ALLOW
+        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
 

src/system.c

@@ -41,6 +41,8 @@
 static int _nr_seccomp = -1;
 static int _support_seccomp_syscall = -1;
 static int _support_seccomp_flag_tsync = -1;
+static int _support_seccomp_flag_log = -1;
+static int _support_seccomp_action_log = -1;
 
 /**
  * Check to see if the seccomp() syscall is supported
@@ -111,6 +113,78 @@ void sys_set_seccomp_syscall(bool enable)
 	_support_seccomp_syscall = (enable ? 1 : 0);
 }
 
+/**
+ * Check to see if a seccomp action is supported
+ * @param action the seccomp action
+ *
+ * This function checks to see if a seccomp action is supported by the system.
+ * Return one if the action is supported, zero otherwise.
+ *
+ */
+int sys_chk_seccomp_action(uint32_t action)
+{
+	if (action == SCMP_ACT_KILL) {
+		return 1;
+	} else if (action == SCMP_ACT_TRAP) {
+		return 1;
+	} else if ((action == SCMP_ACT_ERRNO(action & 0x0000ffff)) &&
+		   ((action & 0x0000ffff) < MAX_ERRNO)) {
+		return 1;
+	} else if (action == SCMP_ACT_TRACE(action & 0x0000ffff)) {
+		return 1;
+	} else if (action == SCMP_ACT_LOG) {
+		if (_support_seccomp_action_log < 0) {
+			if (sys_chk_seccomp_syscall() == 1 &&
+			    syscall(_nr_seccomp, SECCOMP_GET_ACTION_AVAIL, 0,
+				    &action) == 0)
+				_support_seccomp_action_log = 1;
+			else
+				_support_seccomp_action_log = 0;
+		}
+
+		return _support_seccomp_action_log;
+	} else if (action == SCMP_ACT_ALLOW) {
+		return 1;
+	}
+
+	return 0;
+}
+
+/**
+ * Force a seccomp action support setting
+ * @param action the seccomp action
+ * @param enable the intended support state
+ *
+ * This function overrides the current seccomp action support setting; this
+ * is very much a "use at your own risk" function.
+ */
+void sys_set_seccomp_action(uint32_t action, bool enable)
+{
+	if (action == SCMP_ACT_LOG)
+		_support_seccomp_action_log = (enable ? 1 : 0);
+}
+
+/**
+ * Check to see if a seccomp() flag is supported by the kernel
+ * @param flag the seccomp() flag
+ *
+ * This function checks to see if a seccomp() flag is supported by the kernel.
+ * Return one if the flag is supported, zero otherwise.
+ *
+ */
+static int _sys_chk_seccomp_flag_kernel(int flag)
+{
+	/* this is an invalid seccomp(2) call because the last argument
+	 * is NULL, but depending on the errno value of EFAULT we can
+	 * guess if the filter flag is supported or not */
+	if (sys_chk_seccomp_syscall() == 1 &&
+	    syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flag, NULL) == -1 &&
+	    errno == EFAULT)
+		return 1;
+
+	return 0;
+}
+
 /**
  * Check to see if a seccomp() flag is supported
  * @param flag the seccomp() flag
@@ -122,15 +196,17 @@ void sys_set_seccomp_syscall(bool enable)
  */
 int sys_chk_seccomp_flag(int flag)
 {
-	int rc;
-
 	switch (flag) {
 	case SECCOMP_FILTER_FLAG_TSYNC:
-		if (_support_seccomp_flag_tsync < 0) {
-			rc = sys_chk_seccomp_syscall();
-			_support_seccomp_flag_tsync = (rc == 1 ? 1 : 0);
-		}
+		if (_support_seccomp_flag_tsync < 0)
+			_support_seccomp_flag_tsync = _sys_chk_seccomp_flag_kernel(flag);
+
 		return _support_seccomp_flag_tsync;
+	case SECCOMP_FILTER_FLAG_LOG:
+		if (_support_seccomp_flag_log < 0)
+			_support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
+
+		return _support_seccomp_flag_log;
 	}
 
 	return -EOPNOTSUPP;
@@ -151,6 +227,9 @@ void sys_set_seccomp_flag(int flag, bool enable)
 	case SECCOMP_FILTER_FLAG_TSYNC:
 		_support_seccomp_flag_tsync = (enable ? 1 : 0);
 		break;
+	case SECCOMP_FILTER_FLAG_LOG:
+		_support_seccomp_flag_log = (enable ? 1 : 0);
+		break;
 	}
 }
 
@@ -184,7 +263,9 @@ int sys_filter_load(const struct db_filter_col *col)
 	if (sys_chk_seccomp_syscall() == 1) {
 		int flgs = 0;
 		if (col->attr.tsync_enable)
-			flgs = SECCOMP_FILTER_FLAG_TSYNC;
+			flgs |= SECCOMP_FILTER_FLAG_TSYNC;
+		if (col->attr.log_enable)
+			flgs |= SECCOMP_FILTER_FLAG_LOG;
 		rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
 		if (rc > 0 && col->attr.tsync_enable)
 			/* always return -ESRCH if we fail to sync threads */

src/system.h

@@ -102,15 +102,28 @@ typedef struct sock_filter bpf_instr_raw;
 #ifndef SECCOMP_SET_MODE_FILTER
 #define SECCOMP_SET_MODE_FILTER		1
 #endif
+#ifndef SECCOMP_GET_ACTION_AVAIL
+#define SECCOMP_GET_ACTION_AVAIL	2
+#endif
 
 /* flags for the seccomp() syscall */
 #ifndef SECCOMP_FILTER_FLAG_TSYNC
 #define SECCOMP_FILTER_FLAG_TSYNC	1
 #endif
+#ifndef SECCOMP_FILTER_FLAG_LOG
+#define SECCOMP_FILTER_FLAG_LOG		2
+#endif
+
+#ifndef SECCOMP_RET_LOG
+#define SECCOMP_RET_LOG		0x7ffc0000U /* allow after logging */
+#endif
 
 int sys_chk_seccomp_syscall(void);
 void sys_set_seccomp_syscall(bool enable);
 
+int sys_chk_seccomp_action(uint32_t action);
+void sys_set_seccomp_action(uint32_t action, bool enable);
+
 int sys_chk_seccomp_flag(int flag);
 void sys_set_seccomp_flag(int flag, bool enable);