Ubuntu
apparmor package

Feature Request: Rate limit apparmor denial logs

Bug #1932342 reported by Martin on 2021-06-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Wishlist	John Johansen

Bug Description

While running Discord, AppArmor prints a ton of denials every second. The lines look something like this:

> Jun 17 18:00:14 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"

I'm thankful that AppArmor is preventing it from using pthread to mess with my system. However, I wish it didn't spam my logs so much. Would it be possible to implement a system whereby subsequent identical logs within the same second are deduplicated? For example, instead of 127 separate denials lines, one second could look like this:

> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1383/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [3 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1407/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [48 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="snap.snap-store.ubuntu-software"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [15 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="docker-default"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/14296/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [8 identical messages omitted]
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/93917/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"
> Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [40 identical messages omitted]

Of course, it would've been nice if Discord wasn't persistently trying to ptrace everything on my system all the time even after being denied, but AppArmor exists to deal with misbehaving applications, so we kinda have to expect that the applications it deals with will be misbehaving.

ProblemType: Bug
DistroRelease: Ubuntu 21.04
Package: apparmor 3.0.0-0ubuntu7
ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17
Uname: Linux 5.11.0-18-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu65.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Jun 17 17:58:38 2021
InstallationDate: Installed on 2021-06-10 (7 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-18-generic root=UUID=802cdec1-14ec-442d-a9c6-ae876626bd24 ro quiet splash vt.handoff=7
RebootRequiredPkgs: gnome-shell
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

Martin (martid0311) wrote on 2021-06-17:

ApparmorPackages.txt Edit (293 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (2.4 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (1.8 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (52.8 MiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (310 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (93.9 KiB, text/plain; charset="utf-8")
Syslog.txt Edit (2.9 KiB, text/plain; charset="utf-8")

Revision history for this message

John Johansen (jjohansen) wrote on 2021-06-17:

Currently AppArmor relies on the audit subsystem's rate limiting. There is improved AppArmor specific rate limit coming probably in 5.15 or 5.16 just dependent on when that work can be landed.

Changed in apparmor (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist
assignee:	nobody → John Johansen (jjohansen)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2021-06-17:

See also https://github.com/snapcrafters/discord/issues/23 -- there may be some other advice buried in there on how to deal with the deluge while also not giving discord permission to see all the processes you're running.

Thanks

Revision history for this message

John Johansen (jjohansen) wrote on 2021-06-17:

While not rate limiting there is a solution to make the DENIAL messages go away. Adding an explicit denial rule to the profile will tell apparmor this is a known DENIAL that doesn't need to be audited.

deny ptrace read,

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

auto-github-snapcrafters-discord #23
[open] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package

Feature Request: Rate limit apparmor denial logs

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
apparmor package