My apologies for the resend, I had the wrong email for Kees. On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote: > On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote: > > Hi. > > > > What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? > > Opera browser makes use of a sandbox and if audit_enabled == 0 (and no > > auditd is running) there is a lot of messages dumped to the klog. The fix > > to __audit_seccomp() is trivial, similar to c2412d91c and I can send a > > patch, I'm just not sure if seccomp is somehow special? > > I'm adding Kees to this since he looks after the seccomp kernel bits these > days. While there isn't anything special about seccomp from an audit > perspective, the seccomp audit record can be a really nice thing as it is > the only indication you may get that seccomp has stepped in and done > "something" other than allow the syscall to progress normally. > > I would be a little more concerned that you are seeing a flood of seccomp > messages from Opera, that is something that most likely warrants some closer > inspection. Are all the records the same/similar? Can you paste some into > email?
-- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html