From: Paul Moore <paul@paul-moore.com>
To: Tony Jones <tonyj@suse.de>, Kees Cook <kees@chromium.org>
Cc: linux-security-module@vger.kernel.org, linux-audit@redhat.com
Subject: Re: seccomp and audit_enabled
Date: Mon, 12 Oct 2015 11:29:43 -0400 [thread overview]
Message-ID: <9092019.92r82W6k9o@sifl> (raw)
In-Reply-To: <56188AE9.4030306@suse.de>
On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
> Hi.
>
> What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0?
> Opera browser makes use of a sandbox and if audit_enabled == 0 (and no
> auditd is running) there is a lot of messages dumped to the klog. The fix
> to __audit_seccomp() is trivial, similar to c2412d91c and I can send a
> patch, I'm just not sure if seccomp is somehow special?
I'm adding Kees to this since he looks after the seccomp kernel bits these
days. While there isn't anything special about seccomp from an audit
perspective, the seccomp audit record can be a really nice thing as it is the
only indication you may get that seccomp has stepped in and done "something"
other than allow the syscall to progress normally.
I would be a little more concerned that you are seeing a flood of seccomp
messages from Opera, that is something that most likely warrants some closer
inspection. Are all the records the same/similar? Can you paste some into
email?
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2015-10-12 15:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-10 3:50 seccomp and audit_enabled Tony Jones
2015-10-12 15:29 ` Paul Moore [this message]
2015-10-12 15:40 ` Paul Moore
2015-10-12 17:53 ` Tony Jones
2015-10-12 20:45 ` Kees Cook
2015-10-13 16:11 ` Paul Moore
2015-10-13 17:18 ` Tony Jones
2015-10-13 19:19 ` Paul Moore
2015-10-13 19:46 ` Tony Jones
2015-10-13 20:03 ` Steve Grubb
2015-11-06 21:45 ` Tony Jones
2015-11-06 21:36 ` Tony Jones
2015-11-20 17:51 ` Tony Jones
2015-11-20 21:26 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9092019.92r82W6k9o@sifl \
--to=paul@paul-moore.com \
--cc=kees@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=tonyj@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).