Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi(a)firstfloor.org> wrote:
> What kernel version are you using? I believe we fixed that in
Linux
> 4.5 with the following:
This is 4.6-rc2.
>
> commit 96368701e1c89057bbf39222e965161c68a85b4b
> From: Paul Moore <pmoore(a)redhat.com>
> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>
> audit: force seccomp event logging to honor the audit_enabled flag
No you didn't fix it because audit_enabled is always enabled by systemd
for user space auditing, see the original description of my patch.
[NOTE: adding the audit list to the CC line]
Sorry, I read your email too quickly; you are correct, that commit
fixed a different problem.
Let me think on this a bit more. Technically I don't see this as a
bug with the kernel, userspace is enabling audit and you are getting
audit messages as a result; from my opinion this is the expected
behavior. However, we've talked in the past about providing better
control over seccomp's auditing/logging and that work would allow you
to quiet all seccomp messages if you desired.
If you are interested, I started tracking this issue at the link below:
* https://github.com/linux-audit/audit-kernel/issues/13
--
paul moore
www.paul-moore.com