github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #5277] qtox: audit log spam due to blocked netlink #2942

New issue

Closed

opened 2026-05-05 09:36:20 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 09:36:20 -06:00

Owner

Originally created by @JeremyMahieu on GitHub (Jul 28, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5277

In the profile for qtox only protocols inet, inet6, and unix are enabled while qtox is confined with seccomp. This leads to generation of seccomp violation reports since qtox also needs AF_NETLINK sockets.
The reports look like this:

Jul 28 11:17:03 XYZ audit[12345]: SECCOMP auid=1234 uid=1234 gid=1234 ses=1 subj==firejail-default (enforce) pid=12345 comm=<hash> exe="/usr/bin/qtox" sig=0 arch=bbbbbbbb syscall=41 compat=0 ip=0xaaaaaaaaaaaa code=0xababa

Describe the solution you'd like

This seemingly does not interfere with qtox's functionality but please consider adding netlink to permitted protocols in that profile.

Describe alternatives you've considered

Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds.

Additional context

The system should have Audit framework enabled and auditd running for logging to journal to happen. Systems configured otherwise will not see the same messages.

Originally created by @JeremyMahieu on GitHub (Jul 28, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5277 ### Is your feature request related to a problem? Please describe. In the profile for qtox only protocols inet, inet6, and unix are enabled while qtox is confined with seccomp. This leads to generation of seccomp violation reports since qtox also needs AF\_NETLINK sockets. The reports look like this: ``` Jul 28 11:17:03 XYZ audit[12345]: SECCOMP auid=1234 uid=1234 gid=1234 ses=1 subj==firejail-default (enforce) pid=12345 comm=<hash> exe="/usr/bin/qtox" sig=0 arch=bbbbbbbb syscall=41 compat=0 ip=0xaaaaaaaaaaaa code=0xababa ``` ### Describe the solution you'd like This seemingly does not interfere with qtox's functionality but please consider adding netlink to permitted protocols in that profile. ### Describe alternatives you've considered Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds. ### Additional context The system should have Audit framework enabled and auditd running for logging to journal to happen. Systems configured otherwise will not see the same messages.

gitea-mirror

2026-05-05 09:36:20 -06:00

closed this issue
added the
duplicate
label

gitea-mirror commented

2026-05-05 09:36:22 -06:00

Author

Owner

@ghost commented on GitHub (Jul 28, 2022):

Describe alternatives you've considered
Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds.

One can always add netlink in a qtox.local override. But, IMO, when an application functions properly without it, and the issue is only journal spamming, users can add a rule to audit's configuration to silence these warnings. That way the sandbox is kept nicely tight and the irritating spamming is handled cleanly. Here's an example you can try in case of qtox:

$ cat /etc/audit/rules.d/20-dont-audit.rules

[...]
-a always,exclude -F exe=/usr/bin/qtox

Let's wait a bit to let other people give their opinion on how to proceed here (adding a comment on how to silence these warnings, or adding netlink to protocol).

@ghost commented on GitHub (Jul 28, 2022): > Describe alternatives you've considered Ignoring the seccomp violation messages, but they pollute the system journal and occur a few times every 10 seconds. One can always add netlink in a qtox.local override. But, IMO, when an application functions properly without it, and the issue is _only_ journal spamming, users can add a rule to audit's configuration to silence these warnings. That way the sandbox is kept nicely tight and the irritating spamming is handled cleanly. Here's an example you can try in case of qtox: `$ cat /etc/audit/rules.d/20-dont-audit.rules` ``` [...] -a always,exclude -F exe=/usr/bin/qtox ``` Let's wait a bit to let other people give their opinion on how to proceed here (adding a comment on how to silence these warnings, or adding netlink to protocol).

gitea-mirror commented

2026-05-05 09:36:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 28, 2022):

Journal spamming is already fixed (#5207).
If qtox works w/o netlink we should not weaken its profile for cosmetic reasons.

I would close as won't fix/duplicate.

@rusty-snake commented on GitHub (Jul 28, 2022): Journal spamming is already fixed (#5207). If qtox works w/o netlink we should not weaken its profile for cosmetic reasons. I would close as won't fix/duplicate.

gitea-mirror commented

2026-05-05 09:36:25 -06:00

Author

Owner

@ghost commented on GitHub (Jul 28, 2022):

@JeremyMahieu So what the above comments boil down to is that the issue should be fixed in git already. Consult our wiki for instructions on how to build from git.

@ghost commented on GitHub (Jul 28, 2022): @JeremyMahieu So what the above comments boil down to is that the issue should be fixed in git already. Consult our wiki for instructions on how to [build from git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).

gitea-mirror commented

2026-05-05 09:36:27 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 29, 2022):

(Re-closing as "not planned", since it was marked as duplicate)

Duplicate of #5207.

Edit: For some reason, GitHub is not creating the "marked this as a
duplicate" timeline event...

@kmk3 commented on GitHub (Jul 29, 2022): (Re-closing as "not planned", since it was marked as duplicate) Duplicate of #5207. Edit: For some reason, GitHub is not creating the ["marked this as a duplicate"][1] timeline event... [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/marking-issues-or-pull-requests-as-a-duplicate

gitea-mirror commented

2026-05-05 09:36:27 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 29, 2022):

Edit: For some reason, GitHub is not creating the "marked this as a duplicate" timeline event...

It only does so if Duplicate of #1234 is the only text in your comment. Even a . at the end stops it IIRC.

@rusty-snake commented on GitHub (Jul 29, 2022): > Edit: For some reason, GitHub is not creating the ["marked this as a duplicate"](https://docs.github.com/en/issues/tracking-your-work-with-issues/marking-issues-or-pull-requests-as-a-duplicate) timeline event... It only does so if `Duplicate of #1234` is the only text in your comment. Even a `.` at the end stops it IIRC.

gitea-mirror commented

2026-05-05 09:36:29 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 29, 2022):

Duplicate of #5207

@kmk3 commented on GitHub (Jul 29, 2022): Duplicate of #5207

gitea-mirror commented

2026-05-05 09:36:30 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 29, 2022):

@rusty-snake commented on Jul 29:

Edit: For some reason, GitHub is not creating the "marked this as a
duplicate"
timeline event...

It only does so if Duplicate of #1234 is the only text in your comment.
Even a . at the end stops it IIRC.

Thanks! I had a hunch that it could be due to that, but I refused to believe
that it would be so brittle hehe.

I mean, even GitHub's own dependabot puts a dot at the end on similar
comments[1]:

Superseded by #XXX.

[1] https://github.com/kmk3/firejail/pull/15#issuecomment-1165379263

@kmk3 commented on GitHub (Jul 29, 2022): @rusty-snake commented [on Jul 29](https://github.com/netblue30/firejail/issues/5277#issuecomment-1199643546): > > Edit: For some reason, GitHub is not creating the ["marked this as a > > duplicate"](https://docs.github.com/en/issues/tracking-your-work-with-issues/marking-issues-or-pull-requests-as-a-duplicate) > > timeline event... > > It only does so if `Duplicate of #1234` is the only text in your comment. > Even a `.` at the end stops it IIRC. Thanks! I had a hunch that it could be due to that, but I refused to believe that it would be so brittle hehe. I mean, even GitHub's own dependabot puts a dot at the end on similar comments[1]: > Superseded by #XXX. [1] https://github.com/kmk3/firejail/pull/15#issuecomment-1165379263

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2942

No description provided.

Rows
Columns