Re: Limiting SECCOMP audit events

On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks(a)canonical.com&gt; wrote: > On 01/02/2018 02:03 PM, Steve Grubb wrote: >> Hello, >> >> I know people have been busy with the holidays and things...but I just >> wanted to mention I'm still seeing 100's of thousands of seccomp events >> hitting the audit logs every day. >> >> # ausearch --start today -m seccomp --raw | aureport -x --summary >> >> Executable Summary Report >> ================================= >> total file >> ================================= >> 209843 /usr/lib64/firefox/firefox >> 2196 /usr/lib64/qt5/libexec/QtWebEngineProcess >> >> Has anyone looked at it beyond pseudo code? > > I started to throw together a quick couple of patches prior to the > holidays but didn't finish. Things aren't looking good for the next few > weeks for me so someone else should take over if it is important for > 4.16. > > Tyler This is also on my todo list, but it sits behind fixing one last libseccomp bug and getting a new release out. I made some good progress on the libseccomp bug right before the holiday, but I think there is still a days worth of work left before it is ready to be merged. I'm also traveling for the next week so I doubt I'll have any serious time to devote to the kernel patch(es). I can't remember what Tyler's last thought was on the logic, but I imagine I'll just wait until I see some patches to review/merge, or I can go back in the thread if I happen to have time before anyone else. Also, to set expectations, since we are currently at -rc6, this is likely going to need to wait until 4.17 at the earliest as I generally don't like merging new functionality in the last week or two before the merge window. Also (part two), we should add a test case to the audit-testsuite for any new knobs that affect the SECCOMP records.