Re: seccomp and audit_enabled
On 10/13/2015 12:19 PM, Paul Moore wrote:
> No, it's the default audit.rules (-D, -b320). No actual
rules loaded.
> Let me add some instrumentation and figure out what's going on. auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).
Yes, if systemd is involved it enables audit; we've had some
discussions with the systemd folks about fixing that, but they haven't
gone very far. I'm still a little curious as to why
audit_dummy_context() is false in this case, but I haven't looked at
how systemd/auditctl start/config the system too closely.
I'll debug what's going on (easy) on the test system and report back. I'm
curious
too. Have a bad cold today so I'm moving slower than normal.
I don't really care if it is audit or not (although we will need
to
output something via audit if it is enabled to keep the CC crowd
happy); if you feel strongly that it isn't audit, we can just make it
a printk, that would work well with Kees' goals. To me the important
point here is that we send a message when seccomp alters the behavior
of the syscall (action != ALLOW).
Yes, if audit is enabled, you should totally be able to use it. Rest sounds good also.
thanks!
Tony