On Sun, Apr 10, 2016 at 10:30:10PM -0400, Paul Moore wrote: > On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen <a...@linux.intel.com> wrote: > > On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote: > >> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <a...@firstfloor.org> wrote: > >> >> What kernel version are you using? I believe we fixed that in Linux > >> >> 4.5 with the following: > >> > > >> > This is 4.6-rc2. > >> >> > >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b > >> >> From: Paul Moore <pmo...@redhat.com> > >> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500) > >> >> > >> >> audit: force seccomp event logging to honor the audit_enabled flag > >> > > >> > No you didn't fix it because audit_enabled is always enabled by systemd > >> > for user space auditing, see the original description of my patch. > >> > >> [NOTE: adding the audit list to the CC line] > > > > This mailing list is marked subscriber only in MAINTAINERS so I > > intentionally didn't add it. It's unlikely that my emails > > will make it through. > > Steve Grubb checks it on a regular basis and approves anything > remotely audit related. Please make use of it in the future; it's > listed in MAINTAINERS for a reason.
Nothing has appeared by now. A mailing list that does not allow real time discussion is fairly useless. Dropped again. > >> If you are interested, I started tracking this issue at the link below: > >> > >> * https://github.com/linux-audit/audit-kernel/issues/13 > > > > Making it a sysctl is fine for me as long as it is disabled by default > > so that user space doesn't need to be modified to make seccomp > > stop spamming. > > > > Audit should always be opt-in, not opt-out. > > From my perspective, you, or rather systemd in your case, is opting in > by enabling audit. It wants an audit channel, but not random kernel subsystems unconditionally spamming the logs. If it wanted the later it would set audit rules. > > > However I think making it conditional on syscall auditing like > > in my patch is equivalent and much simpler. > > > > If you really insist on the sysctl I can send patch. > > As I said earlier, I haven't given this a lot of thought as of yet, > but so far I like the sysctl approach much more than the patch you > sent earlier. Ok I'm sending an updated patch. -Andi -- a...@linux.intel.com -- Speaking for myself only.
