On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <a...@firstfloor.org> wrote: >> What kernel version are you using? I believe we fixed that in Linux >> 4.5 with the following: > > This is 4.6-rc2. >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b >> From: Paul Moore <pmo...@redhat.com> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500) >> >> audit: force seccomp event logging to honor the audit_enabled flag > > No you didn't fix it because audit_enabled is always enabled by systemd > for user space auditing, see the original description of my patch.
[NOTE: adding the audit list to the CC line] Sorry, I read your email too quickly; you are correct, that commit fixed a different problem. Let me think on this a bit more. Technically I don't see this as a bug with the kernel, userspace is enabling audit and you are getting audit messages as a result; from my opinion this is the expected behavior. However, we've talked in the past about providing better control over seccomp's auditing/logging and that work would allow you to quiet all seccomp messages if you desired. If you are interested, I started tracking this issue at the link below: * https://github.com/linux-audit/audit-kernel/issues/13 -- paul moore www.paul-moore.com
