From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag Date: Tue, 24 Nov 2015 13:57:35 -0500 Message-ID: <2926601.ZKozHlF6o1@sifl> References: <20151123222006.15340.18040.stgit@localhost> <56539144.6000008@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: linux-audit@redhat.com Cc: Tony Jones , linux-security-module@vger.kernel.org List-Id: linux-audit@redhat.com On Monday, November 23, 2015 05:35:58 PM Paul Moore wrote: > On Mon, Nov 23, 2015 at 5:20 PM, Tony Jones wrote: > > On 11/23/2015 02:20 PM, Paul Moore wrote: > >> Previously we were emitting seccomp audit records regardless of the > >> audit_enabled setting, a deparature from the rest of audit. This > >> patch makes seccomp auditing consistent with the rest of the audit > >> record generation code in that when audit_enabled=0 nothing is logged > >> by the audit subsystem. > >> > >> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the > >> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real > >> code change was in the audit_seccomp() definition. > >> > >> Reported-by: Tony Jones > >> Signed-off-by: Paul Moore > > > > Seems pretty much the same (functionally) as the patch I posted to audit > > list on 10/12/2015 except that didn't hoist the entire block. > > Yep, I prefered to move the block as I think it should have been that > way anyway from the start. IMHO we got to many audit Kconfig knobs > as-is and splitting that block for just the audit_enabled flag made > things worse. > > > Signed-off-by: Tony Jones I just merged this patch into audit#next, the only change is I replaced the "Reported-by" for Tony with his sign-off. -- paul moore security @ redhat