seccomp and audit_enabled
Paul Moore
paul at paul-moore.com
Mon Oct 12 15:29:43 UTC 2015
On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> Hi.
>
> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> auditd is running) there is a lot of messages dumped to the klog. The fix
> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> patch, I'm just not sure if seccomp is somehow special?
I'm adding Kees to this since he looks after the seccomp kernel bits these
days. While there isn't anything special about seccomp from an audit
perspective, the seccomp audit record can be a really nice thing as it is the
only indication you may get that seccomp has stepped in and done "something"
other than allow the syscall to progress normally.
I would be a little more concerned that you are seeing a flood of seccomp
messages from Opera, that is something that most likely warrants some closer
inspection. Are all the records the same/similar? Can you paste some into
email?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list