On Tue, Apr 24, 2018 at 8:00 PM, Tyler Hicks <[email protected]> wrote: > On 04/17/2018 08:57 PM, Paul Moore wrote: >> On Tue, Apr 17, 2018 at 6:54 PM, Steve Grubb <[email protected]> wrote: >>> Hello, >>> >>> Ping? SECCOMP events are still flooding the system. Can we do something >>> hackish to turn this off until a better solution can be created? >> >> Pong? >> >> The only workarounds I can think of would be to disable audit or >> create a filter rule excluding auditing for the noisy process. I've >> never tried the latter, but I'm pretty sure it would work. > > I've pushed two branches which have slightly different behaviors. They > only differ by the last patch in each branch. The tree is here: > > https://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/linux.git/ > > 1) seccomp-auditing/option-1-consistent-behavior > This branch removes all special casing around audited processes. The > decision on whether or not to audit an action no longer considers > whether or not the process is being audited. RET_TRAP, RET_TRACE, > and RET_ERRNO actions will only be logged if the application loads > the filter with the SECCOMP_FILTER_FLAG_LOG bit set. The admin has > the final say via the kernel.seccomp.actions_logged sysctl. > > 2) seccomp-auditing/option-2-honor-sysctl > This branch continues to special case audited processes. The decision > to log RET_TRAP, RET_TRACE, and RET_ERRNO actions depends on if the > SECCOMP_FILTER_FLAG_LOG bit being set OR if the process is being > audited. The admin has the final say via the > kernel.seccomp.actions_logged sysctl. > > I prefer option #1. Play with both implementations and let me know what > works best for your requirements. Both branches share the same > underlying patches for emitting audit records on writes to the > kernel.seccomp.actions_logged sysctl.
Looking quickly at the two branches, I think I prefer the option-1-consistent-behavior approach, although some changes are needed. Could you post those patches to list for review/discussion? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
