qtox: audit log spam due to blocked netlink

[JeremyMahieu]

Is your feature request related to a problem? Please describe.

In the profile for qtox only protocols inet, inet6, and unix are enabled while qtox is confined with seccomp. This leads to generation of seccomp violation reports since qtox also needs AF_NETLINK sockets.
The reports look like this:

Jul 28 11:17:03 XYZ audit[12345]: SECCOMP auid=1234 uid=1234 gid=1234 ses=1 subj==firejail-default (enforce) pid=12345 comm=<hash> exe="/usr/bin/qtox" sig=0 arch=bbbbbbbb syscall=41 compat=0 ip=0xaaaaaaaaaaaa code=0xababa

Describe the solution you'd like

This seemingly does not interfere with qtox's functionality but please consider adding netlink to permitted protocols in that profile.

Describe alternatives you've considered

Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds.

Additional context

The system should have Audit framework enabled and auditd running for logging to journal to happen. Systems configured otherwise will not see the same messages.

[glitsj16]

Describe alternatives you've considered
Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds.

One can always add netlink in a qtox.local override. But, IMO, when an application functions properly without it, and the issue is only journal spamming, users can add a rule to audit's configuration to silence these warnings. That way the sandbox is kept nicely tight and the irritating spamming is handled cleanly. Here's an example you can try in case of qtox:

$ cat /etc/audit/rules.d/20-dont-audit.rules

[...]
-a always,exclude -F exe=/usr/bin/qtox

Let's wait a bit to let other people give their opinion on how to proceed here (adding a comment on how to silence these warnings, or adding netlink to protocol).

[rusty-snake]

Journal spamming is already fixed (#5207).
If qtox works w/o netlink we should not weaken its profile for cosmetic reasons.

I would close as won't fix/duplicate.

[glitsj16]

@JeremyMahieu So what the above comments boil down to is that the issue should be fixed in git already. Consult our wiki for instructions on how to build from git.

[kmk3]

(Re-closing as "not planned", since it was marked as duplicate)

Duplicate of #5207.

Edit: For some reason, GitHub is not creating the "marked this as a
duplicate" timeline event...

[rusty-snake]

Edit: For some reason, GitHub is not creating the "marked this as a duplicate" timeline event...

It only does so if Duplicate of #1234 is the only text in your comment. Even a . at the end stops it IIRC.

[kmk3]

Duplicate of #5207

[kmk3]

@rusty-snake commented on Jul 29:

Edit: For some reason, GitHub is not creating the "marked this as a
duplicate"
timeline event...

It only does so if Duplicate of #1234 is the only text in your comment.
Even a . at the end stops it IIRC.

Thanks! I had a hunch that it could be due to that, but I refused to believe
that it would be so brittle hehe.

I mean, even GitHub's own dependabot puts a dot at the end on similar
comments[1]:

Superseded by #XXX.

[1] kmk3#15 (comment)