seccomp: Honor the actions_logged sysctl for audited processes

Seccomp logging for "handled" actions such as RET_TRAP, RET_TRACE, or
RET_ERRNO can be very noisy for processes that are being audited. This
patch modifies the seccomp logging behavior to honor the
kernel.seccomp.actions_logged sysctl even when the current process is
being audited. Admins can silence logging of the aforementioned actions
by dropping those action names from the actions_logged sysctl.

With this patch, the logic for deciding if an action will be logged is:

  if action == RET_ALLOW:
    do not log
  else if action not in actions_logged:
    do not log
  else if action == RET_KILL:
  else if action == RET_LOG:
  else if filter-requests-logging:
  else if audit_enabled && process-is-being-audited:
    do not log

Reported-by: Steve Grubb <>
Signed-off-by: Tyler Hicks <>
4 files changed