On Sat, Apr 9, 2016 at 11:07 AM, Andi Kleen <a...@firstfloor.org> wrote: > From: Andi Kleen <a...@linux.intel.com> > > When I run chrome on my opensuse system every time I open > a new tab the system log is spammed with: > > audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857 > comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e > syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000 > > This happens because chrome uses SECCOMP for its sandbox, > and for some reason always reaches a SECCOMP_KILL or more likely > SECCOMP_RET_ERRNO in the rule set. > > The seccomp auditing was originally added ...
Hi Andi, What kernel version are you using? I believe we fixed that in Linux 4.5 with the following: commit 96368701e1c89057bbf39222e965161c68a85b4b From: Paul Moore <pmo...@redhat.com> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500) audit: force seccomp event logging to honor the audit_enabled flag Previously we were emitting seccomp audit records regardless of the audit_enabled setting, a deparature from the rest of audit. This patch makes seccomp auditing consistent with the rest of the audit record generation code in that when audit_enabled=0 nothing is logged by the audit subsystem. The bulk of this patch is moving the CONFIG_AUDIT block ahead of the CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real code change was in the audit_seccomp() definition. Signed-off-by: Tony Jones <to...@suse.de> Signed-off-by: Paul Moore <pmo...@redhat.com> -- paul moore www.paul-moore.com
