[PATCH] Seccomp audit: Reduce unnecessary log spew

From: Parag Warudkar
Date: Sat Sep 08 2012 - 11:04:16 EST

Next message: David Ahern: "[PATCH 2/3] perf probe: make a copy of exec path for passing to basename"
Previous message: Shilimkar, Santosh: "Re: [PATCH v3 00/31] AArch64 Linux kernel port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Every time I run Chrome from dev channel, which uses seccomp, logs are
flooded with below repetitive entries -

2093.889522] audit_printk_skb: 42 callbacks suppressed
[ 2093.889527] type=1701 audit(1347114113.889:62): auid=4294967295
uid=1000 gid=1000 ses=4294967295 pid=5329 comm="chrome" reason="seccomp"
sig=0 syscall=2 compat=0 ip=0x7f1a63b45d90 code=0x50000

Reduce the seemingly needless repetitive logging by honoring audit_enabled
and checking if the signal is worth auditing.

Signed-off-by: Parag Warudkar <parag.lkml@xxxxxxxxx>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415..6c3012a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2715,6 +2715,9 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;

+ if (!audit_enabled || !signr || signr == SIGQUIT)
+ return;
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
audit_log_abend(ab, "seccomp", signr);
audit_log_format(ab, " syscall=%ld", syscall);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Ahern: "[PATCH 2/3] perf probe: make a copy of exec path for passing to basename"
Previous message: Shilimkar, Santosh: "Re: [PATCH v3 00/31] AArch64 Linux kernel port"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]