Feature Request: Rate limit apparmor denial logs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Wishlist
|
John Johansen |
Bug Description
While running Discord, AppArmor prints a ton of denials every second. The lines look something like this:
> Jun 17 18:00:14 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
I'm thankful that AppArmor is preventing it from using pthread to mess with my system. However, I wish it didn't spam my logs so much. Would it be possible to implement a system whereby subsequent identical logs within the same second are deduplicated? For example, instead of 127 separate denials lines, one second could look like this:
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [3 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [48 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [15 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [8 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile=
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [40 identical messages omitted]
Of course, it would've been nice if Discord wasn't persistently trying to ptrace everything on my system all the time even after being denied, but AppArmor exists to deal with misbehaving applications, so we kinda have to expect that the applications it deals with will be misbehaving.
ProblemType: Bug
DistroRelease: Ubuntu 21.04
Package: apparmor 3.0.0-0ubuntu7
ProcVersionSign
Uname: Linux 5.11.0-18-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu65.1
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Thu Jun 17 17:58:38 2021
InstallationDate: Installed on 2021-06-10 (7 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
ProcKernelCmdline: BOOT_IMAGE=
RebootRequiredPkgs: gnome-shell
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
Currently AppArmor relies on the audit subsystem's rate limiting. There is improved AppArmor specific rate limit coming probably in 5.15 or 5.16 just dependent on when that work can be landed.