[PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled

From: Andi Kleen
Date: Sat Apr 09 2016 - 11:11:16 EST


From: Andi Kleen <ak@xxxxxxxxxxxxxxx>

When I run chrome on my opensuse system every time I open
a new tab the system log is spammed with:

audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857
comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e
syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000

This happens because chrome uses SECCOMP for its sandbox,
and for some reason always reaches a SECCOMP_KILL or more likely
SECCOMP_RET_ERRNO in the rule set.

The seccomp auditing was originally added by Eric with

commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
Author: Eric Paris <eparis@xxxxxxxxxx>
Date: Tue Jan 3 14:23:05 2012 -0500

seccomp: audit abnormal end to a process due to seccomp

The audit system likes to collect information about processes that
end
abnormally (SIGSEGV) as this may me useful intrusion detection
information.
This patch adds audit support to collect information when seccomp
forces a
task to exit because of misbehavior in a similar way.

I don't have any other syscall auditing enabled,
just the standard user space auditing used by the systemd
and PAM userland. So basic auditing is alwas enabled,
but no other kernel auditing.

I don't think it makes much sense to only log seccomp events when
nothing else is audited by the kernel.

So make the seccomp auditing depend on syscall auditing being
enabled. This stops the log spam on my system, and still gives
the information on system with heavier auditing enabled.

Cc: eparis@xxxxxxxxxx
Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
---
include/linux/audit.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index e38e3fc..379970f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -317,7 +317,7 @@ void audit_core_dumps(long signr);

static inline void audit_seccomp(unsigned long syscall, long signr, int code)
{
- if (!audit_enabled)
+ if (!audit_enabled || !test_thread_flag(TIF_SYSCALL_AUDIT))
return;

/* Force a record to be reported if a signal was delivered. */
--
2.7.4