Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag

On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones <tonyj(a)suse.de&gt; wrote: > On 11/23/2015 02:20 PM, Paul Moore wrote: >> Previously we were emitting seccomp audit records regardless of the >> audit_enabled setting, a deparature from the rest of audit. This >> patch makes seccomp auditing consistent with the rest of the audit >> record generation code in that when audit_enabled=0 nothing is logged >> by the audit subsystem. >> >> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the >> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real >> code change was in the audit_seccomp() definition. >> >> Reported-by: Tony Jones <tonyj(a)suse.de&gt; >> Signed-off-by: Paul Moore <pmoore(a)redhat.com&gt; > > Seems pretty much the same (functionally) as the patch I posted to audit > list on 10/12/2015 except that didn't hoist the entire block. Yep, I prefered to move the block as I think it should have been that way anyway from the start. IMHO we got to many audit Kconfig knobs as-is and splitting that block for just the audit_enabled flag made things worse. > Signed-off-by: Tony Jones <tonyj(a)suse.de&gt;