Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled

From: Paul Moore
Date: Sat Apr 09 2016 - 20:57:02 EST


On Sat, Apr 9, 2016 at 11:07 AM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:
> From: Andi Kleen <ak@xxxxxxxxxxxxxxx>
>
> When I run chrome on my opensuse system every time I open
> a new tab the system log is spammed with:
>
> audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857
> comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e
> syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000
>
> This happens because chrome uses SECCOMP for its sandbox,
> and for some reason always reaches a SECCOMP_KILL or more likely
> SECCOMP_RET_ERRNO in the rule set.
>
> The seccomp auditing was originally added ...

Hi Andi,

What kernel version are you using? I believe we fixed that in Linux
4.5 with the following:

commit 96368701e1c89057bbf39222e965161c68a85b4b
From: Paul Moore <pmoore@xxxxxxxxxx>
Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)

audit: force seccomp event logging to honor the audit_enabled flag

Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit. This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.

The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.

Signed-off-by: Tony Jones <tonyj@xxxxxxx>
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>

--
paul moore
www.paul-moore.com