• Tyler Hicks's avatar
    seccomp: Don't special case audited processes when logging · 326bee02
    Tyler Hicks authored
    Seccomp logging for "handled" actions such as RET_TRAP, RET_TRACE, or
    RET_ERRNO can be very noisy for processes that are being audited. This
    patch modifies the seccomp logging behavior to treat processes that are
    being inspected via the audit subsystem the same as processes that
    aren't under inspection. Handled actions will no longer be logged just
    because the process is being inspected. Since v4.14, applications have
    the ability to request logging of handled actions by using the
    SECCOMP_FILTER_FLAG_LOG flag when loading seccomp filters.
    
    With this patch, the logic for deciding if an action will be logged is:
    
      if action == RET_ALLOW:
        do not log
      else if action not in actions_logged:
        do not log
      else if action == RET_KILL:
        log
      else if action == RET_LOG:
        log
      else if filter-requests-logging:
        log
      else:
        do not log
    Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    326bee02
auditsc.c 66.9 KB