Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty
On Sat, Nov 17, 2012 at 11:05:56PM +, brian m. carlson wrote: As you can see in the logs below, the audit subsystem logs entirely too many audit messages. It is rate limited. And one event every 30 seconds is not that much. Since I use chrome, which uses seccomp (apparently), this makes lots of useless noise in the logs, Chrome is not supported by Debian. Chromium is and does not show this behaviour in the latest available packages. Bastian -- Behind every great man, there is a woman -- urging him on. -- Harry Mudd, I, Mudd, stardate 4513.3 -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121118113644.ga4...@waldi.eu.org
Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty
On Sun, Nov 18, 2012 at 12:36:44PM +0100, Bastian Blank wrote: On Sat, Nov 17, 2012 at 11:05:56PM +, brian m. carlson wrote: As you can see in the logs below, the audit subsystem logs entirely too many audit messages. It is rate limited. And one event every 30 seconds is not that much. I opened this at normal severity because it is rate-limited. If it were not, it would have been much worse. I still feel that potentially 2880 messages per day is too many for the kernel log without some sort of mechanism to disable the flow. Since I use chrome, which uses seccomp (apparently), this makes lots of useless noise in the logs, Chrome is not supported by Debian. Chromium is and does not show this behaviour in the latest available packages. That's because you're shipping version 22. Version 23 starts sandboxing all renderer processes, so you'll start seeing the bug soon enough. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty
Package: src:linux Version: 3.6.6-1~experimental.1 Severity: normal As you can see in the logs below, the audit subsystem logs entirely too many audit messages. Since this is built into the kernel, I cannot unload the module to prevent it from logging. Since I use chrome, which uses seccomp (apparently), this makes lots of useless noise in the logs, preventing me from seeing important messages. Earlier versions of the kernel were not so verbose; please revert whatever change made the audit subsystem so chatty. -- Package-specific info: ** Version: Linux version 3.6-trunk-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-1) ) #1 SMP Debian 3.6.6-1~experimental.1 ** Command line: BOOT_IMAGE=/vmlinuz-3.6-trunk-amd64 root=/dev/mapper/vauxhall-root ro i8042.reset=1 i8042.nomux=1 i8042.reset=1 i8042.nomux=1 ** Not tainted ** Kernel log: [48663.540448] type=1701 audit(1353191396.713:61288): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48676.162384] type=1701 audit(1353191409.369:61289): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48694.976825] type=1701 audit(1353191428.229:61290): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48700.647071] type=1701 audit(1353191433.913:61291): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48701.174793] type=1701 audit(1353191434.441:61292): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48709.513116] type=1701 audit(1353191442.801:61293): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48710.644056] type=1701 audit(1353191443.933:61294): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48714.976828] type=1701 audit(1353191448.277:61295): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48744.307278] type=1701 audit(1353191477.681:61296): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48760.732681] type=1701 audit(1353191494.145:61297): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48769.289330] type=1701 audit(1353191502.725:61298): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48792.491672] type=1701 audit(1353191525.985:61299): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f129a3121d7 code=0x5 [48792.491708] type=1701 audit(1353191525.985:61300): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491713] type=1701 audit(1353191525.985:61301): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491716] type=1701 audit(1353191525.985:61302): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491720] type=1701 audit(1353191525.985:61303): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491723] type=1701 audit(1353191525.985:61304): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491726] type=1701 audit(1353191525.985:61305): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8e0 code=0x5 [48792.491779] type=1701 audit(1353191525.985:61306): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12943ff8fd code=0x5 [48792.491789] type=1701 audit(1353191525.985:61307): auid=1000 uid=1000 gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=21 compat=0 ip=0x7f12943ffb87 code=0x5 [48804.374728] audit_printk_skb: 22 callbacks suppressed [48804.374731] type=1701 audit(1353191537.897:61319): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48807.164657] type=1701 audit(1353191540.693:61320): auid=1000 uid=1000 gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 ip=0x7f12964fb90d code=0x5 [48825.294859] type=1701
Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)
On Sun, Nov 18, 2012 at 01:45:04AM +, Debian Bug Tracking System wrote: On Sat, 2012-11-17 at 23:05 +, brian m. carlson wrote: Package: src:linux Version: 3.6.6-1~experimental.1 Severity: normal As you can see in the logs below, the audit subsystem logs entirely too many audit messages. Since this is built into the kernel, I cannot unload the module to prevent it from logging. Since I use chrome, which uses seccomp (apparently), this makes lots of useless noise in the logs, preventing me from seeing important messages. Earlier versions of the kernel were not so verbose; please revert whatever change made the audit subsystem so chatty. [...] This is a bug in Chrome, please report it there. Last I checked, Chrome did not write to the kernel ring buffer. The kernel does not need to log every audit failure any more than it needs to log every time a process tries to read a file that it does not have permission to read or every segfault that occurs or every packet dropped. At the very least, there should be a file in procfs or sysfs that allows people to turn this off if they don't want their logs filled with useless crap. All sorts of unexpected behaviors are blocked on operating systems; very few of them deserve an entry in the kernel log. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)
On Sun, 2012-11-18 at 04:26 +, brian m. carlson wrote: On Sun, Nov 18, 2012 at 01:45:04AM +, Debian Bug Tracking System wrote: On Sat, 2012-11-17 at 23:05 +, brian m. carlson wrote: Package: src:linux Version: 3.6.6-1~experimental.1 Severity: normal As you can see in the logs below, the audit subsystem logs entirely too many audit messages. Since this is built into the kernel, I cannot unload the module to prevent it from logging. Since I use chrome, which uses seccomp (apparently), this makes lots of useless noise in the logs, preventing me from seeing important messages. Earlier versions of the kernel were not so verbose; please revert whatever change made the audit subsystem so chatty. [...] This is a bug in Chrome, please report it there. Last I checked, Chrome did not write to the kernel ring buffer. The kernel does not need to log every audit failure any more than it needs to log every time a process tries to read a file that it does not have permission to read or every segfault that occurs or every packet dropped. It's rate-limited. At the very least, there should be a file in procfs or sysfs that allows people to turn this off if they don't want their logs filled with useless crap. All sorts of unexpected behaviors are blocked on operating systems; very few of them deserve an entry in the kernel log. There's a good reason Chrome has a sandbox, and a reason why you should know if it looks like something's trying to escape from it. (Though I think this is more likely to be a simple bug than a blocked attack.) Ben. -- Ben Hutchings A free society is one where it is safe to be unpopular. - Adlai Stevenson signature.asc Description: This is a digitally signed message part