Date: Mon, 11 Apr 2016 14:55:17 -0700
From: Andi Kleen <andi@firstfloor.org>
To: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>, Andi Kleen <andi@firstfloor.org>,
        linux-kernel@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
        linux-audit@redhat.com
Subject: Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by
 default
Message-ID: <20160411215516.GK9407@two.firstfloor.org>
References: <1460348008-27076-1-git-send-email-andi@firstfloor.org>
 <CAHC9VhTnkbU_kJbOdwTF4BW=qZTL_xR7CddCZ5CDXKNNvi_nUQ@mail.gmail.com>
 <1460390286.3268.36.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1460390286.3268.36.camel@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1008
Lines: 23

On Mon, Apr 11, 2016 at 10:58:06AM -0500, Eric Paris wrote:
> Just an FYI originally the idea was to follow the pattern of logging
> set by core dumps see kernel/auditsc.c::audit_core_dumps(). Which is
> gated by audit_enable but not anything else. I believe at that time the
> only option was kill, which meant, much like the core dumper, spam was
> not a likely result given the initiator is killed.

Given that user space now uses audit independently for its own
logging I don't think making things depend only on audit_enable
is good practice anymore.

> 
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.

That was my original patch -- make it conditional on syscall auditing.

If that's the right approach please apply that one.

-Andi