Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flood of seccomp audit log entries #5207

Closed
EdiDD opened this issue Jun 17, 2022 · 12 comments
Closed

Flood of seccomp audit log entries #5207

EdiDD opened this issue Jun 17, 2022 · 12 comments
Labels
bug Something isn't working

Comments

@EdiDD
Copy link

EdiDD commented Jun 17, 2022
edited by kmk3
Loading

There are many log entries like: audit: SECCOMP ... and kernel: audit: ... in journal probably because of (firejail 0.9.70):

Is there a way to disable this or make these messages silently ignored ?
@netblue30 netblue30 added the bug Something isn't working label Jun 17, 2022
netblue30 added a commit that referenced this issue Jun 17, 2022
@netblue30
fixing seccomp log (#5207)
17774ad
@netblue30
Copy link
Owner

Bug! I have it on my computer so far for whois, transmission, and Tor browser. Log example:

Jun 17 07:50:36 debian kernel: [ 4566.037606] audit: type=1326 audit(1655466636.900:143): auid=1000 uid=1000 gid=1000 ses=2 subj==firejail-default (enforce) pid=7841 comm=517420626561726572207468726561 exe="/usr/bin/transmission-qt" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f83e851f477 code=0x50000

Syscall 41 is "socket" (you can get the name by running "firejail --debug-syscalls"). In the profile I had to add "netlink" and "unix":

protocol unix,inet,inet6,netlink

Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug!

@rusty-snake
Copy link
Collaborator

Previous discussion with suggested fix (and deleted comment 👎): #5181 (comment)
Please link to previous discussion if you move them.

-protocol inet,inet6
+protocol unix,inet,inet6,netlink

Do we really need to open all this?

@glitsj16
Copy link
Collaborator

Personally I tend to agree with @rusty-snake's comment above. It seems overkill to allow a potentially insecure netlink protocol 'just' to keep cleaner logs IMO. Perhaps a comment would be more appropriate instead?

Besides, users can always provide their own audit filtering via /etc/audit/rules.d for log sanity (audit tends to be very verbose by default). See this for some examples.

@netblue30
Copy link
Owner

Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work?

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 17, 2022
edited
Loading

Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work?

It should work yes. I happen to have some extra time to test if you 'd like. Been doing some specific audit filtering lately in another context, that's why it occurred to me it might be a more appropriate way to deal with this. Once things settle down code-wise I can add a wiki item with some example rules for log sanitation. Thanks for looking into things!

@EdiDD
Copy link
Author

EdiDD commented Jun 18, 2022

Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug!

It also occurs in curl

@netblue30
Copy link
Owner

I added "seccomp-log no" in /etc/firejail/firejail.config

c7e4c8e

@EdiDD
Copy link
Author

EdiDD commented Jun 18, 2022

Great! , waiting for a patched release. Thank you.

@glitsj16
Copy link
Collaborator

@netblue30 c7e4c8e works fine, thanks! Just one question: now this is 'fixed', can/should we revert 17774ad?

netblue30 added a commit that referenced this issue Jun 20, 2022
@netblue30
reverting previous seccomp log fix (#5207)
a9caad1
@netblue30
Copy link
Owner

Forgot about it. I've just revert it.

@netblue30 netblue30 added the in testing A bugfix that is being tested label Jun 20, 2022
@kmk3
Copy link
Collaborator

kmk3 commented Jun 20, 2022

@rusty-snake commented on May 20:

FTR: c0d314f

@SkewedZeppelin Can this be reverted as well?

SkewedZeppelin added a commit that referenced this issue Jun 21, 2022
@SkewedZeppelin
Revert "xonotic.profile: fix audit denial spam"
9c4772f 
Logging is now default disabled in c7e4c8e
See #5207

This reverts commit c0d314f.
@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented Jun 21, 2022 via email

@rusty-snake rusty-snake mentioned this issue Jul 28, 2022
Closed
@kmk3 kmk3 changed the title Flooding seccomp log entries Flood of seccomp audit log entries Aug 20, 2022
kmk3 added a commit that referenced this issue Aug 20, 2022
@kmk3
RELNOTES: add seccomp log flood bugfix
ffc4f72 
Relates to #5207.
@kmk3 kmk3 removed the in testing A bugfix that is being tested label Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Release 0.9.72
Status: Done (on RELNOTES)
Milestone
No milestone
Development

No branches or pull requests
6 participants
@glitsj16 @SkewedZeppelin @netblue30 @EdiDD @kmk3 @rusty-snake