Re: seccomp and audit_enabled

On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote: > Hi. > > What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? > Opera browser makes use of a sandbox and if audit_enabled == 0 (and no > auditd is running) there is a lot of messages dumped to the klog. The fix > to __audit_seccomp() is trivial, similar to c2412d91c and I can send a > patch, I'm just not sure if seccomp is somehow special? I'm adding Kees to this since he looks after the seccomp kernel bits these days. While there isn't anything special about seccomp from an audit perspective, the seccomp audit record can be a really nice thing as it is the only indication you may get that seccomp has stepped in and done "something" other than allow the syscall to progress normally. I would be a little more concerned that you are seeing a flood of seccomp messages from Opera, that is something that most likely warrants some closer inspection. Are all the records the same/similar? Can you paste some into email?