From: Andi Kleen <ak@linux.intel.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Andi Kleen <andi@firstfloor.org>, Eric Paris <eparis@redhat.com>,
linux-kernel@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
Date: Sun, 10 Apr 2016 15:31:55 -0700 [thread overview]
Message-ID: <20160410223155.GD2336@tassilo.jf.intel.com> (raw)
In-Reply-To: <CAHC9VhT1Eu_Z5xk-e3iF7nJT7QZOH1VJuvJBvB5UAZ5CV9=fVQ@mail.gmail.com>
On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
> >> What kernel version are you using? I believe we fixed that in Linux
> >> 4.5 with the following:
> >
> > This is 4.6-rc2.
> >>
> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
> >> From: Paul Moore <pmoore@redhat.com>
> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
> >>
> >> audit: force seccomp event logging to honor the audit_enabled flag
> >
> > No you didn't fix it because audit_enabled is always enabled by systemd
> > for user space auditing, see the original description of my patch.
>
> [NOTE: adding the audit list to the CC line]
This mailing list is marked subscriber only in MAINTAINERS so I
intentionally didn't add it. It's unlikely that my emails
will make it through.
> Sorry, I read your email too quickly; you are correct, that commit
> fixed a different problem.
>
> Let me think on this a bit more. Technically I don't see this as a
> bug with the kernel, userspace is enabling audit and you are getting
> audit messages as a result; from my opinion this is the expected
It's a bug in the kernel because seccomp is different from everything else.
The kernel only produces audit messages when audit rules are set
for every other case.
The only exception is this seccomp message which is produced
unconditionally. Doesn't make sense to treat seccomp special
here. It should only be audited when some kind of rule is set.
> behavior. However, we've talked in the past about providing better
> control over seccomp's auditing/logging and that work would allow you
> to quiet all seccomp messages if you desired.
>
> If you are interested, I started tracking this issue at the link below:
>
> * https://github.com/linux-audit/audit-kernel/issues/13
Making it a sysctl is fine for me as long as it is disabled by default
so that user space doesn't need to be modified to make seccomp
stop spamming.
Audit should always be opt-in, not opt-out.
However I think making it conditional on syscall auditing like
in my patch is equivalent and much simpler.
If you really insist on the sysctl I can send patch.
-Andi
next prev parent reply other threads:[~2016-04-10 22:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-09 15:07 [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled Andi Kleen
2016-04-10 0:56 ` Paul Moore
2016-04-10 2:41 ` Andi Kleen
2016-04-10 22:17 ` Paul Moore
2016-04-10 22:31 ` Andi Kleen [this message]
2016-04-11 2:30 ` Paul Moore
2016-04-11 4:07 ` Andi Kleen
2016-04-11 13:23 ` Paul Moore
2016-04-12 20:34 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160410223155.GD2336@tassilo.jf.intel.com \
--to=ak@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox