On Fri, 2014-05-02 at 14:03 -0700, Mark Brown wrote:
> On Fri, May 02, 2014 at 07:45:44PM +0000, Luck, Tony wrote:
> 
> > > It would be useful for the smaller build case to have a way of auditing
> > > which syscalls are actually in use on a system so you can then go
> > > through and construct a minimal config.
> 
> > "strace -c" ?
> 
> That works for specific processes but I don't immediately see a
> straightforward way to do it system wide (I guess a wrapper that straces
> init and children might do the trick but it's not particularly nice).
> Part of the trick for getting the general security win is to lower the
> barrier to entry.`

You can do it relatively easily with auditing, surely? Set up an audit
rule for each syscall you aren't already sure is in use. Disable the
rule when you see it used, and it shouldn't even have much of an
overhead over and above what it takes to have auditing enabled in the
first place (which we tried to keep to a minimum).

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation