Seccomp received improved logging controls in v4.14. Applications can opt into logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE, SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters. They can also debug filter matching with the new SECCOMP_RET_LOG action. Administrators can prevent specific actions from being logged using the kernel.seccomp.actions_logged sysctl. However, one corner case intentionally wasn't addressed in those v4.14 changes. When a process is being inspected by the audit subsystem, seccomp's decision making for logging ignores the new controls and unconditionally logs every action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since many existing applications don't intend to log handled actions due to them occurring very frequently. This amount of logging fills the audit logs without providing many benefits now that application authors have fine grained controls at their disposal. This patch set aligns the seccomp logging behavior for both audited and unaudited processes. It also emits an audit record, if auditing is enabled, when the kernel.seccomp.actions_logged sysctl is written to so that there's a paper trail when entire actions are quieted. Tyler -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html