github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5207] Flood of seccomp audit log entries #2917

New issue
Closed
opened 2026-05-05 09:34:56 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 09:34:56 -06:00
Owner
Copy link

Originally created by @EdiDD on GitHub (Jun 17, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5207

There are many log entries like: audit: SECCOMP ... and kernel: audit: ... in journal probably because of (firejail 0.9.70):

Is there a way to disable this or make these messages silently ignored ?

Originally created by @EdiDD on GitHub (Jun 17, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5207 There are many log entries like: audit: SECCOMP ... and kernel: audit: ... in journal probably because of (firejail 0.9.70): * #5110 Is there a way to disable this or make these messages silently ignored ?
gitea-mirror 2026-05-05 09:34:56 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 09:34:59 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 17, 2022):

Bug! I have it on my computer so far for whois, transmission, and Tor browser. Log example:

Jun 17 07:50:36 debian kernel: [ 4566.037606] audit: type=1326 audit(1655466636.900:143): auid=1000 uid=1000 gid=1000 ses=2 subj==firejail-default (enforce) pid=7841 comm=517420626561726572207468726561 exe="/usr/bin/transmission-qt" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f83e851f477 code=0x50000

Syscall 41 is "socket" (you can get the name by running "firejail --debug-syscalls"). In the profile I had to add "netlink" and "unix":

protocol unix,inet,inet6,netlink

Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug!

<!-- gh-comment-id:1158821064 --> @netblue30 commented on GitHub (Jun 17, 2022): Bug! I have it on my computer so far for whois, transmission, and Tor browser. Log example: ````` Jun 17 07:50:36 debian kernel: [ 4566.037606] audit: type=1326 audit(1655466636.900:143): auid=1000 uid=1000 gid=1000 ses=2 subj==firejail-default (enforce) pid=7841 comm=517420626561726572207468726561 exe="/usr/bin/transmission-qt" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f83e851f477 code=0x50000 ````` Syscall 41 is "socket" (you can get the name by running "firejail --debug-syscalls"). In the profile I had to add "netlink" and "unix": ````` protocol unix,inet,inet6,netlink ````` Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug!
gitea-mirror commented 2026-05-05 09:35:00 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 17, 2022):

Previous discussion with suggested fix (and deleted comment 👎): https://github.com/netblue30/firejail/discussions/5181#discussioncomment-2947406
Please link to previous discussion if you move them.

-protocol inet,inet6
+protocol unix,inet,inet6,netlink

Do we really need to open all this?

<!-- gh-comment-id:1158970455 --> @rusty-snake commented on GitHub (Jun 17, 2022): Previous discussion with suggested fix (and deleted comment :-1:): https://github.com/netblue30/firejail/discussions/5181#discussioncomment-2947406 Please link to previous discussion if you move them. --- > ```diff > -protocol inet,inet6 > +protocol unix,inet,inet6,netlink > ``` Do we really need to open all this?
gitea-mirror commented 2026-05-05 09:35:01 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 17, 2022):

Personally I tend to agree with @rusty-snake's comment above. It seems overkill to allow a potentially insecure netlink protocol 'just' to keep cleaner logs IMO. Perhaps a comment would be more appropriate instead?

Besides, users can always provide their own audit filtering via /etc/audit/rules.d for log sanity (audit tends to be very verbose by default). See this for some examples.

<!-- gh-comment-id:1159011591 --> @ghost commented on GitHub (Jun 17, 2022): Personally I tend to agree with @rusty-snake's comment above. It seems overkill to allow a potentially insecure `netlink` protocol 'just' to keep cleaner logs IMO. Perhaps a comment would be more appropriate instead? Besides, users can always provide their own audit filtering via `/etc/audit/rules.d` for log sanity (audit tends to be very verbose by default). See [this](https://wiki.archlinux.org/title/Audit_framework#Filter_unwanted_messages) for some examples.
gitea-mirror commented 2026-05-05 09:35:02 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 17, 2022):

Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work?

<!-- gh-comment-id:1159040170 --> @netblue30 commented on GitHub (Jun 17, 2022): Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work?
gitea-mirror commented 2026-05-05 09:35:03 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 17, 2022):

Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work?

It should work yes. I happen to have some extra time to test if you 'd like. Been doing some specific audit filtering lately in another context, that's why it occurred to me it might be a more appropriate way to deal with this. Once things settle down code-wise I can add a wiki item with some example rules for log sanitation. Thanks for looking into things!

<!-- gh-comment-id:1159047986 --> @ghost commented on GitHub (Jun 17, 2022): > Good point! I'll add instead a configuration flag in /etc/firejail/firejail.config to shut down the automatic logging, enabled by default. Will this work? It should work yes. I happen to have some extra time to test if you 'd like. Been doing some specific audit filtering lately in another context, that's why it occurred to me it might be a more appropriate way to deal with this. Once things settle down code-wise I can add a wiki item with some example rules for log sanitation. Thanks for looking into things!
gitea-mirror commented 2026-05-05 09:35:04 -06:00
Author
Owner
Copy link

@EdiDD commented on GitHub (Jun 18, 2022):

Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug!

It also occurs in curl

<!-- gh-comment-id:1159382138 --> @EdiDD commented on GitHub (Jun 18, 2022): > Let's look in the logs for some more programs generating this kind of messages. Thanks for the bug! It also occurs in `curl`
gitea-mirror commented 2026-05-05 09:35:05 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 18, 2022):

I added "seccomp-log no" in /etc/firejail/firejail.config

c7e4c8ed59

<!-- gh-comment-id:1159447453 --> @netblue30 commented on GitHub (Jun 18, 2022): I added "seccomp-log no" in /etc/firejail/firejail.config https://github.com/netblue30/firejail/commit/c7e4c8ed592fee7f1644152a23c3e1343b01b922
gitea-mirror commented 2026-05-05 09:35:06 -06:00
Author
Owner
Copy link

@EdiDD commented on GitHub (Jun 18, 2022):

Great! , waiting for a patched release. Thank you.

<!-- gh-comment-id:1159460610 --> @EdiDD commented on GitHub (Jun 18, 2022): Great! , waiting for a patched release. Thank you.
gitea-mirror commented 2026-05-05 09:35:06 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jun 19, 2022):

@netblue30 c7e4c8ed59 works fine, thanks! Just one question: now this is 'fixed', can/should we revert 17774ad546?

<!-- gh-comment-id:1159834903 --> @ghost commented on GitHub (Jun 19, 2022): @netblue30 https://github.com/netblue30/firejail/commit/c7e4c8ed592fee7f1644152a23c3e1343b01b922 works fine, thanks! Just one question: now this is 'fixed', can/should we revert https://github.com/netblue30/firejail/commit/17774ad5464feb83edbb8971fd51e029ae608a6d?
gitea-mirror commented 2026-05-05 09:35:07 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 20, 2022):

Forgot about it. I've just revert it.

<!-- gh-comment-id:1160471945 --> @netblue30 commented on GitHub (Jun 20, 2022): Forgot about it. I've just revert it.
gitea-mirror commented 2026-05-05 09:35:08 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 20, 2022):

@rusty-snake commented on May 20:

FTR: c0d314f

@SkewedZeppelin Can this be reverted as well?

<!-- gh-comment-id:1160834164 --> @kmk3 commented on GitHub (Jun 20, 2022): @rusty-snake commented [on May 20](https://github.com/netblue30/firejail/issues/5110#issuecomment-1132866965): > FTR: [c0d314f](https://github.com/netblue30/firejail/commit/c0d314f945b405f1e90a1a43719059cd22f55de7) @SkewedZeppelin Can this be reverted as well?
gitea-mirror commented 2026-05-05 09:35:09 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jun 21, 2022):

@kmk3

did

<!-- gh-comment-id:1160993148 --> @SkewedZeppelin commented on GitHub (Jun 21, 2022): @kmk3 did
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2917
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?