From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: Limiting SECCOMP audit events
Date: Tue, 17 Apr 2018 18:54:28 -0400 [thread overview]
Message-ID: <1644244.YUtc8I8vVY@x2> (raw)
In-Reply-To: <CAHC9VhRWqHbn7NUODOeLNXwqnV0ah0vK8fNCKGUxkDVQSwxQ3Q@mail.gmail.com>
Hello,
Ping? SECCOMP events are still flooding the system. Can we do something
hackish to turn this off until a better solution can be created?
Thanks,
-Steve
On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> > On 01/02/2018 02:03 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> I know people have been busy with the holidays and things...but I just
> >> wanted to mention I'm still seeing 100's of thousands of seccomp events
> >> hitting the audit logs every day.
> >>
> >> # ausearch --start today -m seccomp --raw | aureport -x --summary
> >>
> >> Executable Summary Report
> >> =================================
> >> total file
> >> =================================
> >> 209843 /usr/lib64/firefox/firefox
> >> 2196 /usr/lib64/qt5/libexec/QtWebEngineProcess
> >>
> >> Has anyone looked at it beyond pseudo code?
> >
> > I started to throw together a quick couple of patches prior to the
> > holidays but didn't finish. Things aren't looking good for the next few
> > weeks for me so someone else should take over if it is important for
> > 4.16.
> >
> > Tyler
>
> This is also on my todo list, but it sits behind fixing one last
> libseccomp bug and getting a new release out. I made some good
> progress on the libseccomp bug right before the holiday, but I think
> there is still a days worth of work left before it is ready to be
> merged. I'm also traveling for the next week so I doubt I'll have any
> serious time to devote to the kernel patch(es).
>
> I can't remember what Tyler's last thought was on the logic, but I
> imagine I'll just wait until I see some patches to review/merge, or I
> can go back in the thread if I happen to have time before anyone else.
>
> Also, to set expectations, since we are currently at -rc6, this is
> likely going to need to wait until 4.17 at the earliest as I generally
> don't like merging new functionality in the last week or two before
> the merge window.
>
> Also (part two), we should add a test case to the audit-testsuite for
> any new knobs that affect the SECCOMP records.
next prev parent reply other threads:[~2018-04-17 22:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 23:58 Limiting SECCOMP audit events Steve Grubb
2017-12-14 0:16 ` Kees Cook
2017-12-14 0:31 ` Steve Grubb
2017-12-14 1:43 ` Paul Moore
2017-12-14 3:30 ` Steve Grubb
2017-12-14 12:42 ` Paul Moore
2017-12-14 15:29 ` Steve Grubb
2017-12-14 15:04 ` Tyler Hicks
2017-12-14 15:19 ` Steve Grubb
2017-12-14 23:06 ` Tyler Hicks
2017-12-14 23:16 ` Kees Cook
2017-12-15 14:08 ` Paul Moore
2017-12-15 15:47 ` Tyler Hicks
2017-12-15 16:09 ` Steve Grubb
2017-12-15 20:54 ` Paul Moore
2017-12-15 16:02 ` Steve Grubb
2018-01-02 20:03 ` Steve Grubb
2018-01-03 2:52 ` Tyler Hicks
2018-01-03 14:25 ` Paul Moore
2018-04-17 22:54 ` Steve Grubb [this message]
2018-04-18 1:57 ` Paul Moore
2018-04-25 0:00 ` Tyler Hicks
2018-04-26 14:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1644244.YUtc8I8vVY@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).