On Sun, Sep 09, 2018 at 06:13:24PM -0400, Eli Schwartz via arch-general wrote:
On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote:
FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor adoption... Perhaps relevant: https://lists.debian.org/debian-devel/2017/08/msg00090.html .
But I have a question: why was AUDIT enabled in the first place? I thought it was cosidered useless?
It is definitely not useless! It's historically been disabled because it did not have any good way to enable support, but keep it turned off by default. And having it turned on by default came with mandatory slowdowns for *all* users.
Ironically, Spectre has proven to be our friend here -- due to all the mitigations, there is now no fast path for these system calls, so your kernel is just as slow whether AUDIT is enabled or not. Therefore, we ended up simply enabling it.
Good to know. I remember arguments like "audit is primarily necessary for selinux that we don't have... Otherwise it just spams logs". In any case, audit=0 is the way to go for me. Cheers, L. -- Leonid Isaev