After some research I can now safely confirm this bug. However, the log lines do not seem to be related to any rules in "/etc/audit/rules.d" or AppArmor profiles loaded. %‑)
The only difference between the log lines in *this* bug report, my lines and the ones mentioned on https://bugzilla.redhat.com/show_bug.cgi?id=1507282 seems to be system- specific configuration, e.g. SELinux. Over the past 24 hours, I also had sometimes 100 lines at once in my log when opening or reloading a web page, in a new tab in Firefox. Therefore Firefox seems to be the only "offending" application at present. I also cleared the /etc/audit/rules.d and uninstalled the AppArmor extras packages (apparmor-profiles, apparmor-profiles-extra) with the Firefox profiles in it. Unfortunately the logs lines still poured in. Therefore I also changed the abstractions for Firefox (/etc/apparmor.d/abstractions/ubuntu-browsers) and commented out everything Firefox related, with no avail. The problem is somewhere deeper and not Firefox-specific. I hope Tyler Hicks (tyhicks) is correct and the fixes mentioned will soon be available. Due to the problem I generated several GiB of logs a day which is not so good for my SSD (even with wear-leveling). My temporary workaround is to stop auditd, since unlike /etc/systemd/journald.conf there is no Storage=volatile option for auditd. :-0 ',:-l >:/ ** Bug watch added: Red Hat Bugzilla #1507282 https://bugzilla.redhat.com/show_bug.cgi?id=1507282 ** Bug watch added: Red Hat Bugzilla #1117953 https://bugzilla.redhat.com/show_bug.cgi?id=1117953 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs Status in linux package in Ubuntu: Triaged Bug description: Hello, my audit logs are currently filled with messages from Firefox's seccomp filters which looks like this: type=SECCOMP msg=audit(1527882167.659:223316): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223317): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.659:223318): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223319): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223320): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.687:223321): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223322): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f4329623d19 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223323): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=4 compat=0 ip=0x7f4329623775 code=0x30000 type=SECCOMP msg=audit(1527882167.691:223324): auid=1000 uid=1000 gid=1000 ses=1 pid=28901 comm=57656220436F6E74656E74 exe=2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 sig=0 arch=c000003e syscall=87 compat=0 ip=0x7f4329625d47 code=0x30000 $ aa-decode 57656220436F6E74656E74 Decoded: Web Content $ aa-decode 2F7573722F6C69622F66697265666F782F66697265666F78202864656C6574656429 Decoded: /usr/lib/firefox/firefox (deleted) Over a recent 48 hour stretch it averaged out to nearly one message per second. My current audit rules are: ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 --loginuid-immutable -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change -w /etc/localtime -p wa -k time-change -w /usr/share/zoneinfo/ -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale -w /etc/audit/ -p wa -k CFG_audit -w /var/log/audit/ -k audit-logs -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -w /etc/init.d/apparmor -p wa -k MAC-policy -w /lib/apparmor/ -p wa -k MAC-policy -w /sbin/apparmor_parser -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libpthread.so.0 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libm.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/libc.so.6 -p wa -k MAC-policy -w /lib/x86_64-linux-gnu/ld-2.23.so -p wa -k MAC-policy -w /var/log/tallylog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf -w /etc/sysctl.d/ -p wa -k CFG_sysctl.conf -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unload -w /etc/modprobe.d/ -p wa -k CFG_modprobe -a always,exit -F arch=b64 -S mount,umount2 -a always,exit -F arch=b32 -S mount,umount,umount2 -w /etc/ld.so.cache -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf -w /etc/ld.so.conf.d -p wa -k CFG_ld.so.conf -w /etc/ld.so.preload -p wa -k CFG_ld.so.conf -w /etc/pam.d/ -p wa -k CFG_pam -w /etc/security/ -p wa -k CFG_pam -w /etc/ssh/sshd_config -k CFG_sshd_config It's my understanding that this is addressed in an upcoming kernel via this specific patch in a series of cleanups around seccomp logging: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/?h=next&id=326bee0286d7f6b0d780f5b75a35ea9fe489a802 Please consider backporting this fix into the Bionic kernel. Thanks ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-20-generic 4.15.0-20.21 ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17 Uname: Linux 4.15.0-20-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.9-0ubuntu7 Architecture: amd64 Date: Fri Jun 1 12:42:04 2018 InstallationDate: Installed on 2012-10-18 (2052 days ago) InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1) ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: linux-signed UpgradeStatus: Upgraded to bionic on 2018-05-02 (30 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
