subject:"Bug#693568\: linux\-image\-3.6\-trunk\-amd64\: audit subsystem is far too chatty"

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

2012-11-18 Thread Bastian Blank

On Sat, Nov 17, 2012 at 11:05:56PM +, brian m. carlson wrote:
 As you can see in the logs below, the audit subsystem logs entirely too
 many audit messages.

It is rate limited. And one event every 30 seconds is not that much.

Since I use chrome, which
 uses seccomp (apparently), this makes lots of useless noise in the logs,

Chrome is not supported by Debian. Chromium is and does not show this
behaviour in the latest available packages.

Bastian

-- 
Behind every great man, there is a woman -- urging him on.
-- Harry Mudd, I, Mudd, stardate 4513.3


-- 
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121118113644.ga4...@waldi.eu.org

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

2012-11-18 Thread brian m. carlson

On Sun, Nov 18, 2012 at 12:36:44PM +0100, Bastian Blank wrote:
 On Sat, Nov 17, 2012 at 11:05:56PM +, brian m. carlson wrote:
  As you can see in the logs below, the audit subsystem logs entirely too
  many audit messages.
 
 It is rate limited. And one event every 30 seconds is not that much.

I opened this at normal severity because it is rate-limited.  If it were
not, it would have been much worse.  I still feel that potentially 2880
messages per day is too many for the kernel log without some sort of
mechanism to disable the flow.

 Since I use chrome, which
  uses seccomp (apparently), this makes lots of useless noise in the logs,
 
 Chrome is not supported by Debian. Chromium is and does not show this
 behaviour in the latest available packages.

That's because you're shipping version 22.  Version 23 starts sandboxing
all renderer processes, so you'll start seeing the bug soon enough.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

2012-11-17 Thread brian m. carlson

Package: src:linux
Version: 3.6.6-1~experimental.1
Severity: normal

As you can see in the logs below, the audit subsystem logs entirely too
many audit messages.  Since this is built into the kernel, I cannot
unload the module to prevent it from logging.  Since I use chrome, which
uses seccomp (apparently), this makes lots of useless noise in the logs,
preventing me from seeing important messages.  Earlier versions of the
kernel were not so verbose; please revert whatever change made the audit
subsystem so chatty.

-- Package-specific info:
** Version:
Linux version 3.6-trunk-amd64 (debian-kernel@lists.debian.org) (gcc version 
4.6.3 (Debian 4.6.3-1) ) #1 SMP Debian 3.6.6-1~experimental.1

** Command line:
BOOT_IMAGE=/vmlinuz-3.6-trunk-amd64 root=/dev/mapper/vauxhall-root ro 
i8042.reset=1 i8042.nomux=1 i8042.reset=1 i8042.nomux=1

** Not tainted

** Kernel log:
[48663.540448] type=1701 audit(1353191396.713:61288): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48676.162384] type=1701 audit(1353191409.369:61289): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48694.976825] type=1701 audit(1353191428.229:61290): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48700.647071] type=1701 audit(1353191433.913:61291): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48701.174793] type=1701 audit(1353191434.441:61292): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48709.513116] type=1701 audit(1353191442.801:61293): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48710.644056] type=1701 audit(1353191443.933:61294): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48714.976828] type=1701 audit(1353191448.277:61295): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48744.307278] type=1701 audit(1353191477.681:61296): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48760.732681] type=1701 audit(1353191494.145:61297): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48769.289330] type=1701 audit(1353191502.725:61298): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48792.491672] type=1701 audit(1353191525.985:61299): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f129a3121d7 code=0x5
[48792.491708] type=1701 audit(1353191525.985:61300): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491713] type=1701 audit(1353191525.985:61301): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491716] type=1701 audit(1353191525.985:61302): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491720] type=1701 audit(1353191525.985:61303): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491723] type=1701 audit(1353191525.985:61304): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491726] type=1701 audit(1353191525.985:61305): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8e0 code=0x5
[48792.491779] type=1701 audit(1353191525.985:61306): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=2 
compat=0 ip=0x7f12943ff8fd code=0x5
[48792.491789] type=1701 audit(1353191525.985:61307): auid=1000 uid=1000 
gid=1000 ses=2 pid=41329 comm=chrome reason=seccomp sig=0 syscall=21 
compat=0 ip=0x7f12943ffb87 code=0x5
[48804.374728] audit_printk_skb: 22 callbacks suppressed
[48804.374731] type=1701 audit(1353191537.897:61319): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48807.164657] type=1701 audit(1353191540.693:61320): auid=1000 uid=1000 
gid=1000 ses=2 pid=3788 comm=chrome reason=seccomp sig=0 syscall=2 compat=0 
ip=0x7f12964fb90d code=0x5
[48825.294859] type=1701

Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)

2012-11-17 Thread brian m. carlson

On Sun, Nov 18, 2012 at 01:45:04AM +, Debian Bug Tracking System wrote:
 On Sat, 2012-11-17 at 23:05 +, brian m. carlson wrote:
  Package: src:linux
  Version: 3.6.6-1~experimental.1
  Severity: normal
  
  As you can see in the logs below, the audit subsystem logs entirely too
  many audit messages.  Since this is built into the kernel, I cannot
  unload the module to prevent it from logging.  Since I use chrome, which
  uses seccomp (apparently), this makes lots of useless noise in the logs,
  preventing me from seeing important messages.  Earlier versions of the
  kernel were not so verbose; please revert whatever change made the audit
  subsystem so chatty.
 [...]
 
 This is a bug in Chrome, please report it there.

Last I checked, Chrome did not write to the kernel ring buffer.  The
kernel does not need to log every audit failure any more than it needs
to log every time a process tries to read a file that it does not have
permission to read or every segfault that occurs or every packet
dropped.  At the very least, there should be a file in procfs or sysfs
that allows people to turn this off if they don't want their logs filled
with useless crap.  All sorts of unexpected behaviors are blocked on
operating systems; very few of them deserve an entry in the kernel log.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature

Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)

2012-11-17 Thread Ben Hutchings

On Sun, 2012-11-18 at 04:26 +, brian m. carlson wrote:
 On Sun, Nov 18, 2012 at 01:45:04AM +, Debian Bug Tracking System wrote:
  On Sat, 2012-11-17 at 23:05 +, brian m. carlson wrote:
   Package: src:linux
   Version: 3.6.6-1~experimental.1
   Severity: normal
   
   As you can see in the logs below, the audit subsystem logs entirely too
   many audit messages.  Since this is built into the kernel, I cannot
   unload the module to prevent it from logging.  Since I use chrome, which
   uses seccomp (apparently), this makes lots of useless noise in the logs,
   preventing me from seeing important messages.  Earlier versions of the
   kernel were not so verbose; please revert whatever change made the audit
   subsystem so chatty.
  [...]
  
  This is a bug in Chrome, please report it there.
 
 Last I checked, Chrome did not write to the kernel ring buffer.  The
 kernel does not need to log every audit failure any more than it needs
 to log every time a process tries to read a file that it does not have
 permission to read or every segfault that occurs or every packet
 dropped.

It's rate-limited.

 At the very least, there should be a file in procfs or sysfs
 that allows people to turn this off if they don't want their logs filled
 with useless crap.  All sorts of unexpected behaviors are blocked on
 operating systems; very few of them deserve an entry in the kernel log.

There's a good reason Chrome has a sandbox, and a reason why you should
know if it looks like something's trying to escape from it.  (Though I
think this is more likely to be a simple bug than a blocked attack.)

Ben.

-- 
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai Stevenson


signature.asc
Description: This is a digitally signed message part

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty

Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)

Bug#693568: closed by Ben Hutchings b...@decadent.org.uk (Re: Bug#693568: linux-image-3.6-trunk-amd64: audit subsystem is far too chatty)

5 matches

Site Navigation

Mail list logo

Footer information