From: Paul Moore <paul@paul-moore.com>
To: Tony Jones <tonyj@suse.de>, keescook@chromium.org
Cc: linux-security-module@vger.kernel.org, linux-audit@redhat.com
Subject: Re: seccomp and audit_enabled
Date: Mon, 12 Oct 2015 11:40:16 -0400 [thread overview]
Message-ID: <4636418.ofTBd0bpCf@sifl> (raw)
In-Reply-To: <9092019.92r82W6k9o@sifl>
My apologies for the resend, I had the wrong email for Kees.
On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> > Hi.
> >
> > What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
> > Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> > auditd is running) there is a lot of messages dumped to the klog. The fix
> > to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> > patch, I'm just not sure if seccomp is somehow special?
>
> I'm adding Kees to this since he looks after the seccomp kernel bits these
> days. While there isn't anything special about seccomp from an audit
> perspective, the seccomp audit record can be a really nice thing as it is
> the only indication you may get that seccomp has stepped in and done
> "something" other than allow the syscall to progress normally.
>
> I would be a little more concerned that you are seeing a flood of seccomp
> messages from Opera, that is something that most likely warrants some closer
> inspection. Are all the records the same/similar? Can you paste some into
> email?
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2015-10-12 15:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-10 3:50 seccomp and audit_enabled Tony Jones
2015-10-12 15:29 ` Paul Moore
2015-10-12 15:40 ` Paul Moore [this message]
2015-10-12 17:53 ` Tony Jones
2015-10-12 20:45 ` Kees Cook
2015-10-13 16:11 ` Paul Moore
2015-10-13 17:18 ` Tony Jones
2015-10-13 19:19 ` Paul Moore
2015-10-13 19:46 ` Tony Jones
2015-10-13 20:03 ` Steve Grubb
2015-11-06 21:45 ` Tony Jones
2015-11-06 21:36 ` Tony Jones
2015-11-20 17:51 ` Tony Jones
2015-11-20 21:26 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4636418.ofTBd0bpCf@sifl \
--to=paul@paul-moore.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=tonyj@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.