Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default

From: Andi Kleen
Date: Mon Apr 11 2016 - 17:55:25 EST

Next message: Rhyland Klein: "[PATCH v2] arm64: tegra: Add pinmux for Smaug board"
Previous message: Daniel Walker: "Re: checkpatch false positon on EXPORT_SYMBOL"
In reply to: Eric Paris: "Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default"
Next in thread: Paul Moore: "Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 11, 2016 at 10:58:06AM -0500, Eric Paris wrote:
> Just an FYI originally the idea was to follow the pattern of logging
> set by core dumps see kernel/auditsc.c::audit_core_dumps(). Which is
> gated by audit_enable but not anything else. I believe at that time the
> only option was kill, which meant, much like the core dumper, spam was
> not a likely result given the initiator is killed.

Given that user space now uses audit independently for its own
logging I don't think making things depend only on audit_enable
is good practice anymore.

>
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.

That was my original patch -- make it conditional on syscall auditing.

If that's the right approach please apply that one.

-Andi

Next message: Rhyland Klein: "[PATCH v2] arm64: tegra: Add pinmux for Smaug board"
Previous message: Daniel Walker: "Re: checkpatch false positon on EXPORT_SYMBOL"
In reply to: Eric Paris: "Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default"
Next in thread: Paul Moore: "Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]