Chrome spews seccomp audit messages

Bug #1079469 reported by Kees Cook
48
This bug affects 10 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Kees Cook
Quantal
Fix Released
Medium
Kees Cook
Raring
Fix Released
Medium
Unassigned

Bug Description

When Chrome runs on precise and quantal, it spews seccomp audit messages for expected situations. It should only force audit messages for unexpected process death.

Revision history for this message
Kees Cook (kees) wrote :

This may only happen when using the nvidia driver. Examples:

[ 5807.190390] type=1701 audit(1353014224.959:2015): auid=39888 uid=39888 gid=5000 ses=5 pid=16022 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7ffe8f113205 code=0x50002
[ 5807.192790] type=1701 audit(1353014224.959:2016): auid=39888 uid=39888 gid=5000 ses=5 pid=16022 comm="chrome" reason="seccomp" sig=0 syscall=21 compat=0 ip=0x7ffe8f113957 code=0x50002
...

Changed in linux (Ubuntu Precise):
status: New → Confirmed
Changed in linux (Ubuntu Quantal):
status: New → Confirmed
Changed in linux (Ubuntu Raring):
status: New → Confirmed
tags: added: kernel-da-key precise quantal raring
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux (Ubuntu Raring):
importance: Undecided → Medium
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Hi Kees,

Do you happen to know if this also happens on the latest mainline kernel?

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Precise):
status: Confirmed → Fix Committed
assignee: nobody → Kees Cook (kees)
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Quantal):
status: Confirmed → In Progress
Changed in linux (Ubuntu Raring):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Quantal):
assignee: nobody → Kees Cook (kees)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.7.0-3.9

---------------
linux (3.7.0-3.9) raring; urgency=low

  [ Leann Ogasawara ]

  * [Config] Enable CONFIG_X86_CPUFREQ_NFORCE2=y
    - LP: #1079900
  * Add nfsv3 to nfs-modules udeb

  [ Paolo Pisati ]

  * [Config] SND_OMAP_SOC*=y
    - LP: #1019321

  [ Stefan Bader ]

  * SAUCE: (no-up) xen/netfront: handle compound page fragments on transmit
    - LP: #1078926

  [ Tim Gardner ]

  * Revert "SAUCE: SECCOMP: audit: always report seccomp violations"
    - LP: #1079469
  * Revert "SAUCE: omap3 clocks .dev_id = NULL"
  * rebase to v3.7-rc6
  * SAUCE: script to detect obsolete firmware
  * SAUCE: Remove yam files duplicated in linux-firmware
  * SAUCE: Remove tehuti files duplicated in linux-firmware
  * SAUCE: Remove matrox files duplicated in linux-firmware
  * SAUCE: Remove cxgb3 files duplicated in linux-firmware
  * SAUCE: Remove r128 files duplicated in linux-firmware
  * SAUCE: Remove acenic files duplicated in linux-firmware
  * SAUCE: Remove keyspan files duplicated in linux-firmware
  * SAUCE: Remove sun files duplicated in linux-firmware
  * SAUCE: Remove radeon files duplicated in linux-firmware
  * SAUCE: Update bnx2x firmware to 7.8.2.0
  * [Config] generic.inclusion-list: econet has disappeared

  [ Upstream Kernel Changes ]

  * seccomp: forcing auditing of kill condition
    - LP: #1079469
  * rebase to v3.7-rc6
 -- Leann Ogasawara <email address hidden> Tue, 20 Nov 2012 12:28:55 -0800

Changed in linux (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Precise in -proposed solves the problem (3.2.0-35.55). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Quantal in -proposed solves the problem (3.5.0-20.31). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-quantal
Revision history for this message
Jason Conti (jconti) wrote :

Excellent, just noticed this bug while testing out other fixes in the linux-image-3.5.0-20-generic -proposed package. Before updating I had about 350 seccomp audit messages for google-chrome in dmesg after about an hour of use. After installing the fixed kernel, 0 seccomp audit messages for google-chrome in dmesg. Verified fixed for quantal.

tags: added: verification-done-quantal
removed: verification-needed-quantal
Revision history for this message
Miklos Juhasz (mjuhasz) wrote :

Same here on Precise: with the proposed package I don't see the seccomp audit messages for google-chrome in dmesg anymore.

tags: added: verification-done-precise
removed: verification-needed-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.4 KiB)

This bug was fixed in the package linux - 3.2.0-35.55

---------------
linux (3.2.0-35.55) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1086856

  [ Andy Whitcroft ]

  * Revert "SAUCE: ata_piix: add a disable_driver option"
    - LP: #1079084
  * Revert "SAUCE: ata_piix: defer disks to the Hyper-V drivers by default"
    - LP: #1079084
  * SAUCE: ata_piix: add a disable_driver option
    - LP: #1079084, #994870

  [ Upstream Kernel Changes ]

  * libata: add a host flag to ignore detected ATA devices
    - LP: #1079084
  * ata_piix: defer disks to the Hyper-V drivers by default
    - LP: #1079084, #929545, #942316

linux (3.2.0-35.54) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1086349

  [ Kees Cook ]

  * Revert "SAUCE: SECCOMP: audit: always report seccomp violations"
    - LP: #1079469

  [ Luis Henriques ]

  * SAUCE: SECCOMP: audit: fix build on archs without CONFIG_AUDITSYSCALL
    - LP: #1079469

  [ Upstream Kernel Changes ]

  * seccomp: forcing auditing of kill condition
    - LP: #1079469
  * Bluetooth: Avoid calling undefined smp_conn_security()
    - LP: #1081676
  * x86: Remove the ancient and deprecated disable_hlt() and enable_hlt()
    facility
    - LP: #1081676
  * drm/nouveau: silence modesetting spam on pre-gf8 chipsets
    - LP: #1081676
  * drm/nouveau: fix suspend/resume when in headless mode
    - LP: #1081676
  * drm/nouveau: headless mode by default if pci class != vga display
    - LP: #1081676
  * nfsd: add get_uint for u32's
    - LP: #1081676
  * ALSA: PCM: Fix some races at disconnection
    - LP: #1081676
  * ALSA: usb-audio: Fix races at disconnection
    - LP: #1081676
  * ALSA: usb-audio: Use rwsem for disconnect protection
    - LP: #1081676
  * ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c
    - LP: #1081676
  * ALSA: Add a reference counter to card instance
    - LP: #1081676
  * ALSA: Avoid endless sleep after disconnect
    - LP: #1081676
  * drm/radeon: fix typo in evergreen_mc_resume()
    - LP: #1081676
  * USB: mos7840: remove unused variable
    - LP: #1081676
  * rtnetlink: Fix problem with buffer allocation
    - LP: #1081676
  * rtnetlink: fix rtnl_calcit() and rtnl_dump_ifinfo()
    - LP: #1081676
  * gpio-timberdale: fix a potential wrapping issue
    - LP: #1081676
  * cfg80211: fix antenna gain handling
    - LP: #1081676
  * drm/i915: fix overlay on i830M
    - LP: #1081676
  * drm/i915: fixup infoframe support for sdvo
    - LP: #1081676
  * drm/i915: clear the entire sdvo infoframe buffer
    - LP: #1081676
  * crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent
    data corruption
    - LP: #1081676
  * ARM: at91: at91sam9g10: fix SOC type detection
    - LP: #1081676
  * ARM: at91/i2c: change id to let i2c-gpio work
    - LP: #1081676
  * mac80211: Only process mesh config header on frames that RA_MATCH
    - LP: #1081676
  * mac80211: don't inspect Sequence Control field on control frames
    - LP: #1081676
  * mac80211: fix SSID copy on IBSS JOIN
    - LP: #1081676
  * wireless: drop invalid mesh address extension frames
    - LP: #1081676
  * mac80211: check managem...

Read more...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (24.2 KiB)

This bug was fixed in the package linux - 3.5.0-21.32

---------------
linux (3.5.0-21.32) quantal-proposed; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1088979
  * SAUCE: i915_hsw: move i915_hsw_enabled symbol to intel_ips
    - LP: #1087622

linux (3.5.0-20.31) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1086759

  [ Ben Widawsky ]

  * SAUCE: i915_hsw: Include #define I915_PARAM_HAS_WAIT_TIMEOUT
    - LP: #1085245
  * SAUCE: i915_hsw: Include #define DRM_I915_GEM_CONTEXT_[CREATE,DESTROY]
    - LP: #1085245
  * SAUCE: i915_hsw: drm/i915: add register read IOCTL
    - LP: #1085245
  * SAUCE: i915_hsw: Include #define i915_execbuffer2_[set,get]_context_id
    - LP: #1085245

  [ Chris Wilson ]

  * SAUCE: i915_hsw: Include #define I915_GEM_PARAM_HAS_SEMAPHORES
    - LP: #1085245
  * SAUCE: i915_hsw: Include #define I915_PARAM_HAS_SECURE_BATCHES
    - LP: #1085245

  [ Daniel Vetter ]

  * SAUCE: i915_hsw: drm/i915: call intel_enable_gtt
    - LP: #1085245
  * SAUCE: i915_hsw: drm: add helper to sort panels to the head of the
    connector list
    - LP: #1085245
  * SAUCE: i915_hsw: drm: extract dp link bw helpers
    - LP: #1085245
  * SAUCE: i915_hsw: drm: extract drm_dp_max_lane_count helper
    - LP: #1085245
  * SAUCE: i915_hsw: drm: dp helper: extract drm_dp_channel_eq_ok
    - LP: #1085245
  * SAUCE: i915_hsw: drm: extract helpers to compute new training values
    from sink request
    - LP: #1085245
  * SAUCE: i915_hsw: drm: dp helper: extract drm_dp_clock_recovery_ok
    - LP: #1085245

  [ Dave Airlie ]

  * SAUCE: i915_hsw: Include #define I915_PARAM_HAS_PRIME_VMAP_FLUSH
    - LP: #1085245

  [ Leann Ogasawara ]

  * SAUCE: i915_hsw: Provide an ubuntu/i915 driver for Haswell graphics
    - LP: #1085245
  * SAUCE: i915_hsw: Revert "drm: Make the .mode_fixup() operations mode
    argument a const pointer" for ubuntu/i915 driver
    - LP: #1085245
  * SAUCE: i915_hsw: Rename ubuntu/i915 driver i915_hsw
    - LP: #1085245
  * SAUCE: i915_hsw: Only support Haswell with ubuntu/i915 driver
    - LP: #1085245
  * SAUCE: i915_hsw: Include #define DRM_I915_GEM_WAIT
    - LP: #1085245
  * SAUCE: i915_hsw: drm: extract dp link train delay functions from radeon
    - LP: #1085245
  * SAUCE: i915_hsw: drm/dp: Update DPCD defines
    - LP: #1085245
  * SAUCE: i915_hsw: Update intel_ips.h file location
    - LP: #1085245
  * SAUCE: i915_hsw: Provide updated drm_mm.h and drm_mm.c for ubuntu/i915
    - LP: #1085245
  * SAUCE: i915_hsw: drm/i915: Replace the array of pages with a
    scatterlist
    - LP: #1085245
  * SAUCE: i915_hsw: drm/i915: Replace the array of pages with a
    scatterlist
    - LP: #1085245
  * SAUCE: i915_hsw: drm/i915: Stop using AGP layer for GEN6+
    - LP: #1085245
  * SAUCE: i915_hsw: Add i915_hsw_gpu_*() calls for ubuntu/i915
    - LP: #1085245
  * i915_hsw: [Config] Enable CONFIG_DRM_I915_HSW=m
    - LP: #1085245

  [ Paulo Zanoni ]

  * SAUCE: drm/i915: fix hsw_fdi_link_train "retry" code
    - LP: #1085245
  * SAUCE: drm/i915: reject modes the LPT FDI receiver can't handle
    - LP: #1085245
  * SAUCE: drm/i915: add support for mPHY destination on i...

Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
DougL (dlarue) wrote :

maybe a regression because I'm getting them ( 04/01/2013 ) with kernel 3.5.0-18 on 12.04 LTS

$ cat /proc/version
Linux version 3.5.0-18-generic (buildd@samarium) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #29-Ubuntu SMP Wed Oct 24 19:51:55 UTC 2012

$ dmesg | tail
[98149.229509] type=1701 audit(1364868627.490:3035): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19868 comm="chrome" reason="seccomp" sig=0 syscall=33 compat=0 ip=0xb2f02424 code=0x50000
[98149.779305] type=1701 audit(1364868628.038:3036): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19868 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2f02424 code=0x50000
[98160.006675] type=1701 audit(1364868638.266:3037): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19868 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2f02424 code=0x50000
[98160.006690] type=1701 audit(1364868638.266:3038): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19868 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2f02424 code=0x50000
[98330.656940] type=1701 audit(1364868808.916:3039): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2f02424 code=0x50000
[98330.656950] type=1701 audit(1364868808.916:3040): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2f02424 code=0x50000
[98330.656956] type=1701 audit(1364868808.916:3041): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2f02424 code=0x50000
[98330.656962] type=1701 audit(1364868808.916:3042): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2f02424 code=0x50000
[98330.656968] type=1701 audit(1364868808.916:3043): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2f02424 code=0x50000
[98330.686672] type=1701 audit(1364868808.944:3044): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=19922 comm="chrome" reason="seccomp" sig=0 syscall=33 compat=0 ip=0xb2f02424 code=0x50000

Revision history for this message
Francesco Visin (fvisin) wrote :

I am getting this too, with this kernel 3.5.0-18

cat /proc/version
Linux version 3.5.0-18-generic (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #29~precise1-Ubuntu SMP Mon Oct 22 16:32:29 UTC 2012

francesco@UBimbo:~$ dmesg | tail
[ 7294.429110] audit_printk_skb: 9 callbacks suppressed
[ 7294.429114] type=1701 audit(1370859330.252:1829): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.429120] type=1701 audit(1370859330.252:1830): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.429125] type=1701 audit(1370859330.252:1831): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.429130] type=1701 audit(1370859330.252:1832): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.429134] type=1701 audit(1370859330.252:1833): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=195 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.429858] type=1701 audit(1370859330.252:1834): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=33 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.443459] type=1701 audit(1370859330.264:1835): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.443468] type=1701 audit(1370859330.264:1836): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2e1a424 code=0x50000
[ 7294.443473] type=1701 audit(1370859330.264:1837): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6393 comm="chrome" reason="seccomp" sig=0 syscall=5 compat=0 ip=0xb2e1a424 code=0x50000

Revision history for this message
Andreas Moog (ampelbein) wrote :

Same thing for me, Ubuntu precise, kernel 3.5.0-18 with chromium-browser:

[17006.625278] audit_printk_skb: 9 callbacks suppressed
[17006.625281] type=1701 audit(1378124090.003:1636): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f871d6d6215 code=0x50000
[17006.625285] type=1701 audit(1378124090.003:1637): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f871d6d6215 code=0x50000
[17006.625288] type=1701 audit(1378124090.003:1638): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f871d6d6215 code=0x50000
[17006.625291] type=1701 audit(1378124090.003:1639): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f871d6d6215 code=0x50000
[17006.625294] type=1701 audit(1378124090.003:1640): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f871d6d6215 code=0x50000
[17006.625833] type=1701 audit(1378124090.003:1641): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=21 compat=0 ip=0x7f871d6d6967 code=0x50000
[17006.625838] type=1701 audit(1378124090.003:1642): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=91 compat=0 ip=0x7f871d6d65b7 code=0x50000
[17006.638573] type=1701 audit(1378124090.015:1643): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=2 compat=0 ip=0x7f871f5f458d code=0x50000
[17006.642394] type=1701 audit(1378124090.019:1644): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=2 compat=0 ip=0x7f871d6d66c0 code=0x50000
[17006.642400] type=1701 audit(1378124090.019:1645): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=32426 comm="chromium-browse" reason="seccomp" sig=0 syscall=2 compat=0 ip=0x7f871d6d66c0 code=0x50000

Revision history for this message
Dennis Estenson (destenson) wrote :

This bug (or a similar one) is back. I'm currently experiencing it with the latest chrome & xenial. And I use an ATI/AMD graphics card. It usually (always?) contains:
  type=SECCOMP msg=audit(1482743602.111:32494): auid=1000 uid=1000 gid=1000 ses=5 pid=26692 comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7fb9b67616a4 code=0x50000

tags: added: xenial
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.