Re: Limiting SECCOMP audit events

On 04/17/2018 08:57 PM, Paul Moore wrote: > On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: >> Hello, >> >> Ping? SECCOMP events are still flooding the system. Can we do something >> hackish to turn this off until a better solution can be created? > > Pong? > > The only workarounds I can think of would be to disable audit or > create a filter rule excluding auditing for the noisy process. I've > never tried the latter, but I'm pretty sure it would work. I've pushed two branches which have slightly different behaviors. They only differ by the last patch in each branch. The tree is here: https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/ 1) seccomp-auditing/option-1-consistent-behavior This branch removes all special casing around audited processes. The decision on whether or not to audit an action no longer considers whether or not the process is being audited. RET_TRAP, RET_TRACE, and RET_ERRNO actions will only be logged if the application loads the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has the final say via the kernel.seccomp.actions_logged sysctl. 2) seccomp-auditing/option-2-honor-sysctl This branch continues to special case audited processes. The decision to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being audited. The admin has the final say via the kernel.seccomp.actions_logged sysctl. I prefer option #1. Play with both implementations and let me know what works best for your requirements. Both branches share the same underlying patches for emitting audit records on writes to the kernel.seccomp.actions_logged sysctl.