pcmoore
commented
6 years ago I'm changing the issue title to make this a more generic SECCOMP record filtering issue.
Closed stevegrubb closed 6 years ago
pcmoore
commented
6 years ago I'm changing the issue title to make this a more generic SECCOMP record filtering issue.
pcmoore
commented
6 years ago Closing as a duplicate of issue #13
The seccomp trap event is probably not suitable to log by default. I think people are writing some supervisor process that inspects process integrity before allowing it to proceed. This means you can get 10's of thousands of events a day drowning out everything in the logs. In contrast errno returns make well behaved program exit or otherwise stop accessing something. Same thing with terminating a process.
We need some way to limit the logging of seccomp events. Or make applications specifically enable auditing when a trap action is asked for. It should default to no logging.