From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: Limiting SECCOMP audit events
Date: Tue, 17 Apr 2018 18:54:28 -0400 [thread overview]
Message-ID: <1644244.YUtc8I8vVY@x2> (raw)
In-Reply-To: <CAHC9VhRWqHbn7NUODOeLNXwqnV0ah0vK8fNCKGUxkDVQSwxQ3Q@mail.gmail.com>
Hello,
Ping? SECCOMP events are still flooding the system. Can we do something
hackish to turn this off until a better solution can be created?
Thanks,
-Steve
On Wednesday, January 3, 2018 9:25:12 AM EDT Paul Moore wrote:
> On Tue, Jan 2, 2018 at 9:52 PM, Tyler Hicks <tyhicks@canonical.com> wrote:
> > On 01/02/2018 02:03 PM, Steve Grubb wrote:
> >> Hello,
> >>
> >> I know people have been busy with the holidays and things...but I just
> >> wanted to mention I'm still seeing 100's of thousands of seccomp events
> >> hitting the audit logs every day.
> >>
> >> # ausearch --start today -m seccomp --raw | aureport -x --summary
> >>
> >> Executable Summary Report
> >> =================================
> >> total file
> >> =================================
> >> 209843 /usr/lib64/firefox/firefox
> >> 2196 /usr/lib64/qt5/libexec/QtWebEngineProcess
> >>
> >> Has anyone looked at it beyond pseudo code?
> >
> > I started to throw together a quick couple of patches prior to the
> > holidays but didn't finish. Things aren't looking good for the next few
> > weeks for me so someone else should take over if it is important for
> > 4.16.
> >
> > Tyler
>
> This is also on my todo list, but it sits behind fixing one last
> libseccomp bug and getting a new release out. I made some good
> progress on the libseccomp bug right before the holiday, but I think
> there is still a days worth of work left before it is ready to be
> merged. I'm also traveling for the next week so I doubt I'll have any
> serious time to devote to the kernel patch(es).
>
> I can't remember what Tyler's last thought was on the logic, but I
> imagine I'll just wait until I see some patches to review/merge, or I
> can go back in the thread if I happen to have time before anyone else.
>
> Also, to set expectations, since we are currently at -rc6, this is
> likely going to need to wait until 4.17 at the earliest as I generally
> don't like merging new functionality in the last week or two before
> the merge window.
>
> Also (part two), we should add a test case to the audit-testsuite for
> any new knobs that affect the SECCOMP records.
next prev parent reply other threads:[~2018-04-17 22:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 23:58 Limiting SECCOMP audit events Steve Grubb
2017-12-14 0:16 ` Kees Cook
2017-12-14 0:31 ` Steve Grubb
2017-12-14 1:43 ` Paul Moore
2017-12-14 3:30 ` Steve Grubb
2017-12-14 12:42 ` Paul Moore
2017-12-14 15:29 ` Steve Grubb
2017-12-14 15:04 ` Tyler Hicks
2017-12-14 15:19 ` Steve Grubb
2017-12-14 23:06 ` Tyler Hicks
2017-12-14 23:16 ` Kees Cook
2017-12-15 14:08 ` Paul Moore
2017-12-15 15:47 ` Tyler Hicks
2017-12-15 16:09 ` Steve Grubb
2017-12-15 20:54 ` Paul Moore
2017-12-15 16:02 ` Steve Grubb
2018-01-02 20:03 ` Steve Grubb
2018-01-03 2:52 ` Tyler Hicks
2018-01-03 14:25 ` Paul Moore
2018-04-17 22:54 ` Steve Grubb [this message]
2018-04-18 1:57 ` Paul Moore
2018-04-25 0:00 ` Tyler Hicks
2018-04-26 14:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1644244.YUtc8I8vVY@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.