Re: Limiting SECCOMP audit events

> Looks good to me but two things: > > * Change the name of __audit_seccomp() to audit_seccomp() since we don't > have two functions anymore. > > * Are we sure about removing the audit_enabled check? People got pretty > upset when it wasn't there in the past. Do you have any references to the complaints so that we can understand them better? I remember being surprised by commit 96368701 adding the audit_enabled check (my fault for not watching the list closer) and having to revert it in Ubuntu with a distro patch. After sleeping on it for a night, I'm now unsure if the patch I sent in this thread is what you guys really want. I'll go back to talking in pseudocode. This is what we have in 4.14: if action == RET_ALLOW: do not log else if action == RET_KILL && RET_KILL in actions_logged: log else if action == RET_LOG && RET_LOG in actions_logged: log else if filter-requests-logging && action in actions_logged: log else if audit_enabled && process-is-being-audited: log else: do not log This is what the patch in this thread does: --- a/seccomp-log.pseudo +++ b/seccomp-log.pseudo @@ -6,7 +6,5 @@ log else if filter-requests-logging && action in actions_logged: log - else if audit_enabled && process-is-being-audited: - log else: do not log Instead of that change, now I'm wondering if this is what you really want: --- a/seccomp-log.pseudo +++ b/seccomp-log.pseudo @@ -6,7 +6,8 @@ log else if filter-requests-logging && action in actions_logged: log - else if audit_enabled && process-is-being-audited: + else if audit_enabled && process-is-being-audited && + action in actions_logged: log else: do not log After refactoring the 'action in actions_logged' check, it would leave us with this: if action == RET_ALLOW: do not log else if action not in actions_logged: do not log

else if action == RET_KILL: log else if action == RET_LOG: log else if filter-requests-logging: log else if audit_enabled && process-is-being-audited: log else: do not log