Comment 3 for bug 1707743

AppArmor has a small deduplication LRU cache in its capability audit logging. Its pretty basic just using a profile capability pair, which will prevent further logging of capability requests for the profile capability pair in question while the entry remains in the cache.

The cache is necessarily because many capabilities are checked multiple times for a single syscall resulting in a flooding of the audit subsystem.

We can (and should) certainly extend the cache to take more than just the profile and capability into account. This would likely fix the majority of your issues.