← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #33585

[Bug 1774711] Re: excessive seccomp audit logs

  Thread PreviousDate PreviousThread Next 
On 2019-11-30 21:44:33, A. Denton wrote:
> Will the required pat set be backported to older kernel, such as Ubuntu
> 4.15.0-70.79-generic 4.15.18?

No, there are no plans to backport them at this time.

If you'd like to make use of a kernel containing those patches in Ubuntu
18.04 LTS, please consider installing the enablement kernel:

 https://wiki.ubuntu.com/Kernel/LTSEnablementStack#Ubuntu_18.04_LTS_-
_Bionic_Beaver

> Will the patches be in 20.04 LTS (kernel >= 4.18), which is around the
> corner?

Yes. The patches landed upstream in 4.18 so they'll be in the 20.04 LTS
kernel which will likely be based on upstream 5.4.


** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Xenial)
       Status: New => Won't Fix

** Changed in: linux (Ubuntu Bionic)
       Status: New => Won't Fix

** Changed in: linux (Ubuntu Disco)
       Status: New => Fix Released

** Changed in: linux (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1774711

Title:
  excessive seccomp audit logs

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Won't Fix
Status in linux source package in Bionic:
  Won't Fix
Status in linux source package in Disco:
  Fix Released

Bug description:
  Hello, my audit logs are currently filled with messages from Firefox's
  seccomp filters which looks like this:

  type=SECCOMP msg=audit(1527882167.659:223316): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000
  type=SECCOMP msg=audit(1527882167.659:223317): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000
  type=SECCOMP msg=audit(1527882167.659:223318): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000
  type=SECCOMP msg=audit(1527882167.687:223319): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000
  type=SECCOMP msg=audit(1527882167.687:223320): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000
  type=SECCOMP msg=audit(1527882167.687:223321): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000
  type=SECCOMP msg=audit(1527882167.691:223322): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000
  type=SECCOMP msg=audit(1527882167.691:223323): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000
  type=SECCOMP msg=audit(1527882167.691:223324): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000

  $ aa-decode 57656220436F6E74656E74
  Decoded: Web Content
  $ aa-decode 2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429
  Decoded: /usr/lib/firefox/firefox (deleted)

  Over a recent 48 hour stretch it averaged out to nearly one message
  per second.

  My current audit rules are:
  ## This file is automatically generated from /etc/audit/rules.d
  -D
  -b 8192

  --loginuid-immutable
  -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
  -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
  -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
  -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
  -w /etc/localtime -p wa -k time-change
  -w /usr/share/zoneinfo/ -p wa -k time-change
  -w /etc/group -p wa -k identity
  -w /etc/passwd -p wa -k identity
  -w /etc/gshadow -p wa -k identity
  -w /etc/shadow -p wa -k identity
  -w /etc/security/opasswd -p wa -k identity
  -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
  -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
  -w /etc/issue -p wa -k system-locale
  -w /etc/issue.net -p wa -k system-locale
  -w /etc/hosts -p wa -k system-locale
  -w /etc/network -p wa -k system-locale
  -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
  -w /etc/audit/ -p wa -k CFG_audit
  -w /var/log/audit/ -k audit-logs
  -w /etc/apparmor/ -p wa -k MAC-policy
  -w /etc/apparmor.d/ -p wa -k MAC-policy
  -w /etc/init.d/apparmor -p wa -k MAC-policy
  -w /lib/apparmor/ -p wa -k MAC-policy
  -w /sbin/apparmor_parser -p wa -k MAC-policy
  -w /lib/x86_64-linux-gnu/libpthread.so.0 -p wa -k MAC-policy
  -w /lib/x86_64-linux-gnu/libm.so.6 -p wa -k MAC-policy
  -w /lib/x86_64-linux-gnu/libc.so.6 -p wa -k MAC-policy
  -w /lib/x86_64-linux-gnu/ld-2.23.so -p wa -k MAC-policy
  -w /var/log/tallylog -p wa -k logins
  -w /var/run/faillock/ -p wa -k logins
  -w /var/log/lastlog -p wa -k logins
  -w /var/run/utmp -p wa -k session
  -w /var/log/btmp -p wa -k session
  -w /var/log/wtmp -p wa -k session
  -w /etc/sudoers -p wa -k actions
  -w /etc/sudoers.d/ -p wa -k actions
  -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf
  -w /etc/sysctl.d/ -p wa -k CFG_sysctl.conf
  -w /sbin/insmod -p x -k modules
  -w /sbin/rmmod -p x -k modules
  -w /sbin/modprobe -p x -k modules
  -w /bin/kmod -p x -k modules
  -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
  -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
  -a always,exit -F arch=b32 -S delete_module -F key=module-unload
  -a always,exit -F arch=b64 -S delete_module -F key=module-unload
  -w /etc/modprobe.d/ -p wa -k CFG_modprobe
  -a always,exit -F arch=b64 -S mount,umount2
  -a always,exit -F arch=b32 -S mount,umount,umount2
  -w /etc/ld.so.cache -p wa -k CFG_ld.so.conf
  -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf
  -w /etc/ld.so.conf.d -p wa -k CFG_ld.so.conf
  -w /etc/ld.so.preload -p wa -k CFG_ld.so.conf
  -w /etc/pam.d/ -p wa -k CFG_pam
  -w /etc/security/ -p wa  -k CFG_pam
  -w /etc/ssh/sshd_config -k CFG_sshd_config

  
  It's my understanding that this is addressed in an upcoming kernel via this specific patch in a series of cleanups around seccomp logging:

  https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/?h=next&id=326bee0286d7f6b0d780f5b75a35ea9fe489a802

  Please consider backporting this fix into the Bionic kernel.

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-image-4.15.0-20-generic 4.15.0-20.21
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Fri Jun  1 12:42:04 2018
  InstallationDate: Installed on 2012-10-18 (2052 days ago)
  InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1)
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: linux-signed
  UpgradeStatus: Upgraded to bionic on 2018-05-02 (30 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions
  Thread PreviousDate PreviousThread Next