[PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
Paul Moore
paul at paul-moore.com
Sun Apr 10 22:17:53 UTC 2016
On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi at firstfloor.org> wrote:
>> What kernel version are you using? I believe we fixed that in Linux
>> 4.5 with the following:
>
> This is 4.6-rc2.
>>
>> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> From: Paul Moore <pmoore at redhat.com>
>> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>>
>> audit: force seccomp event logging to honor the audit_enabled flag
>
> No you didn't fix it because audit_enabled is always enabled by systemd
> for user space auditing, see the original description of my patch.
[NOTE: adding the audit list to the CC line]
Sorry, I read your email too quickly; you are correct, that commit
fixed a different problem.
Let me think on this a bit more. Technically I don't see this as a
bug with the kernel, userspace is enabling audit and you are getting
audit messages as a result; from my opinion this is the expected
behavior. However, we've talked in the past about providing better
control over seccomp's auditing/logging and that work would allow you
to quiet all seccomp messages if you desired.
If you are interested, I started tracking this issue at the link below:
* https://github.com/linux-audit/audit-kernel/issues/13
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list