From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751299AbcDKEHs (ORCPT ); Mon, 11 Apr 2016 00:07:48 -0400 Received: from one.firstfloor.org ([193.170.194.197]:35160 "EHLO one.firstfloor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750755AbcDKEHr (ORCPT ); Mon, 11 Apr 2016 00:07:47 -0400 Date: Sun, 10 Apr 2016 21:07:44 -0700 From: Andi Kleen To: Paul Moore Cc: Andi Kleen , Andi Kleen , Eric Paris , linux-kernel@vger.kernel.org Subject: Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled Message-ID: <20160411040744.GH9407@two.firstfloor.org> References: <1460214451-5435-1-git-send-email-andi@firstfloor.org> <20160410024152.GG9407@two.firstfloor.org> <20160410223155.GD2336@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 10, 2016 at 10:30:10PM -0400, Paul Moore wrote: > On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen wrote: > > On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote: > >> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen wrote: > >> >> What kernel version are you using? I believe we fixed that in Linux > >> >> 4.5 with the following: > >> > > >> > This is 4.6-rc2. > >> >> > >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b > >> >> From: Paul Moore > >> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500) > >> >> > >> >> audit: force seccomp event logging to honor the audit_enabled flag > >> > > >> > No you didn't fix it because audit_enabled is always enabled by systemd > >> > for user space auditing, see the original description of my patch. > >> > >> [NOTE: adding the audit list to the CC line] > > > > This mailing list is marked subscriber only in MAINTAINERS so I > > intentionally didn't add it. It's unlikely that my emails > > will make it through. > > Steve Grubb checks it on a regular basis and approves anything > remotely audit related. Please make use of it in the future; it's > listed in MAINTAINERS for a reason. Nothing has appeared by now. A mailing list that does not allow real time discussion is fairly useless. Dropped again. > >> If you are interested, I started tracking this issue at the link below: > >> > >> * https://github.com/linux-audit/audit-kernel/issues/13 > > > > Making it a sysctl is fine for me as long as it is disabled by default > > so that user space doesn't need to be modified to make seccomp > > stop spamming. > > > > Audit should always be opt-in, not opt-out. > > From my perspective, you, or rather systemd in your case, is opting in > by enabling audit. It wants an audit channel, but not random kernel subsystems unconditionally spamming the logs. If it wanted the later it would set audit rules. > > > However I think making it conditional on syscall auditing like > > in my patch is equivalent and much simpler. > > > > If you really insist on the sysctl I can send patch. > > As I said earlier, I haven't given this a lot of thought as of yet, > but so far I like the sysctl approach much more than the patch you > sent earlier. Ok I'm sending an updated patch. -Andi -- ak@linux.intel.com -- Speaking for myself only.