On Sun, Sep 09, 2018 at 06:13:24PM -0400, Eli Schwartz via arch-general wrote: > On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote: > > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor > > adoption... Perhaps relevant: > > https://lists.debian.org/debian-devel/2017/08/msg00090.html . > > > > But I have a question: why was AUDIT enabled in the first place? I thought it > > was cosidered useless? > > It is definitely not useless! It's historically been disabled because it > did not have any good way to enable support, but keep it turned off by > default. And having it turned on by default came with mandatory > slowdowns for *all* users. > > Ironically, Spectre has proven to be our friend here -- due to all the > mitigations, there is now no fast path for these system calls, so your > kernel is just as slow whether AUDIT is enabled or not. Therefore, we > ended up simply enabling it. > Good to know. I remember arguments like "audit is primarily necessary for selinux that we don't have... Otherwise it just spams logs". In any case, audit=0 is the way to go for me. Cheers, L. -- Leonid Isaev
