Limiting SECCOMP audit events

Paul Moore paul at
Wed Jan 3 14:25:12 UTC 2018

On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks at> wrote:
> On 01/02/2018 02:03 PM, Steve Grubb wrote:
>> Hello,
>> I know people have been busy with the holidays and things...but I just wanted
>> to mention I'm still seeing 100's of thousands of seccomp events hitting the
>> audit logs every day.
>> # ausearch --start today -m seccomp --raw | aureport -x --summary
>> Executable Summary Report
>> =================================
>> total  file
>> =================================
>> 209843  /usr/lib64/firefox/firefox
>> 2196  /usr/lib64/qt5/libexec/QtWebEngineProcess
>> Has anyone looked at it beyond pseudo code?
> I started to throw together a quick couple of patches prior to the
> holidays but didn't finish. Things aren't looking good for the next few
> weeks for me so someone else should take over if it is important for 4.16.
> Tyler

This is also on my todo list, but it sits behind fixing one last
libseccomp bug and getting a new release out.  I made some good
progress on the libseccomp bug right before the holiday, but I think
there is still a days worth of work left before it is ready to be
merged.  I'm also traveling for the next week so I doubt I'll have any
serious time to devote to the kernel patch(es).

I can't remember what Tyler's last thought was on the logic, but I
imagine I'll just wait until I see some patches to review/merge, or I
can go back in the thread if I happen to have time before anyone else.

Also, to set expectations, since we are currently at -rc6, this is
likely going to need to wait until 4.17 at the earliest as I generally
don't like merging new functionality in the last week or two before
the merge window.

Also (part two), we should add a test case to the audit-testsuite for
any new knobs that affect the SECCOMP records.

paul moore

More information about the Linux-audit mailing list