Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Paul Moore
Date: Mon Apr 11 2016 - 09:57:43 EST
On Mon, Apr 11, 2016 at 12:07 AM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:
> On Sun, Apr 10, 2016 at 10:30:10PM -0400, Paul Moore wrote:
>> On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen <ak@xxxxxxxxxxxxxxx> wrote:
>> > On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
>> >> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:
>> >> >> What kernel version are you using? I believe we fixed that in Linux
>> >> >> 4.5 with the following:
>> >> >
>> >> > This is 4.6-rc2.
>> >> >>
>> >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> >> >> From: Paul Moore <pmoore@xxxxxxxxxx>
>> >> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>> >> >>
>> >> >> audit: force seccomp event logging to honor the audit_enabled flag
>> >> >
>> >> > No you didn't fix it because audit_enabled is always enabled by systemd
>> >> > for user space auditing, see the original description of my patch.
>> >>
>> >> [NOTE: adding the audit list to the CC line]
>> >
>> > This mailing list is marked subscriber only in MAINTAINERS so I
>> > intentionally didn't add it. It's unlikely that my emails
>> > will make it through.
>>
>> Steve Grubb checks it on a regular basis and approves anything
>> remotely audit related. Please make use of it in the future; it's
>> listed in MAINTAINERS for a reason.
>
> Nothing has appeared by now. A mailing list that does not allow
> real time discussion is fairly useless.
>
> Dropped again.
Re-added.
There is always value in having the conversation archived.
--
paul moore
www.paul-moore.com