From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Should audit_seccomp check audit_enabled? Date: Fri, 23 Oct 2015 15:13:01 -0400 Message-ID: <20151023191301.GD1577@madcap2.tricolour.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Andy Lutomirski Cc: linux-audit@redhat.com, "linux-kernel@vger.kernel.org" List-Id: linux-audit@redhat.com On 15/10/23, Andy Lutomirski wrote: > I would argue that, if auditing is off, audit_seccomp shouldn't do > anything. After all, unlike e.g. selinux, seccomp is not a systemwide > policy, and seccomp signals might be ordinary behavior that's internal > to the seccomp-using application. IOW, for people with audit compiled > in and subscribed by journald but switched off, I think that the > records shouldn't be emitted. > > If you agree, I can send the two-line patch. This sounds reasonable to me. It isn't an AVC. Steve? Paul? > --Andy - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545