trisk
commented
8 years ago SECCOMP_RET_KILL calls audit_seccomp() with SIGSYS as the second parameter (signr) explicitly, while SECCOMP_RET_ERRNO and SECCOMP_RET_TRAP call audit_seccomp() with 0 as the second parameter.
audit_seccomp is a no-op if signr is 0, so it only prints an audit trace if the process is killed.
However, our phase1 filter returns SECCOMP_PHASE1_SKIP which may allow _TIF_SYSCALL_AUDIT to work if requested.
As part of developing secure containers in Mistify, investigate what exists and needs to be added/augmented for auditing sys calls.