This bug is awaiting verification that the linux/5.15.0-163.173 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy- linux' to 'verification-failed-jammy-linux'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2123815 Title: Ubuntu 24.04.2: error in audit_log_object_context keep printing in the kernel and console Status in linux package in Ubuntu: New Status in linux source package in Jammy: New Status in linux source package in Noble: New Bug description: SRU Justification: [Impact] * When auditd is installed and audit rules are used the console can be flooded with the error message. error in audit_log_object_context [Fix] * The fix is backported from 5ba569134855 https://github.com/cschaufler/lsm-stacking. This is the development upstream for the out of tree LSM stacking patch series. * The fix is also carried the Oracular 6.14 kernel in its version of the patch commit 28b69ac0e2fc ("UBUNTU: SAUCE: apparmor4.0.0 [25/99]: Audit: Add record for multiple object contexts") Specifically the fix changes the test for failure on the result from security_secid_to_secctx(), which on success returns a size and on failure returns an error. [Test Plan] * Install audit * ensure AppArmor is enabled by running aa-enabled * Add the audit rule auditctl -a always,exit -S execve -k all_execs * run applications, or shell commands If the fix is not applied each application or command run with result in a message to the console. If the console is not displaying the error message error in audit_log_object_context the fix is working. [Where problems could occur] * The regression can be considered as low, since: the fix is already integrated into in the plucky 6.14, and questing 6.16/6.17 kernels without reported issues. [Other Info] * If audit is configured to panic on error via auditctl -f 2 this bug can cause the kernel to panic [Original Bug Text] The log `error in audit_log_object_context` is keep printing in the kernel log and console when the system startup. [ 13.504243] audit_panic: 282 callbacks suppressed [ 13.504248] audit: error in audit_log_object_context [ 19.988510] audit: error in audit_log_object_context [ 20.104622] audit: error in audit_log_object_context [ 20.114842] audit: error in audit_log_object_context [ 20.468369] audit: error in audit_log_object_context [ 20.505565] audit: error in audit_log_object_context [ 20.629690] audit: error in audit_log_object_context [ 21.233722] audit: error in audit_log_object_context [ 21.280265] audit: error in audit_log_object_context [ 80.081721] audit: error in audit_log_object_context [ 88.384101] audit: error in audit_log_object_context [ 88.445175] audit: error in audit_log_object_context [ 88.460142] audit: error in audit_log_object_context [ 88.715815] audit: error in audit_log_object_context [ 88.732466] audit: error in audit_log_object_context [ 88.851304] Reproduce the issue: 1. Install auditd, enable AppArmor or SELinux. 2. Add audit rules like: auditctl -a always,exit -S execve -k all_execs Suggested patch: diff --git a/kernel/audit.c b/kernel/audit.c index 3dd2e9930550f..b1764ae17ad76 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2315,7 +2315,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) if (lsm_blob_cnt < 2) { error = security_lsmblob_to_secctx(blob, &context, LSM_ID_UNDEF); - if (error) { + if (error < 0) { if (error != -EINVAL) goto error_path; return; @@ -2334,7 +2334,7 @@ void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) continue; error = security_lsmblob_to_secctx(blob, &context, lsm_idlist[i]->id); - if (error) { + if (error < 0) { audit_log_format(ab, "%sobj_%s=?", space ? " " : "", lsm_idlist[i]->name); if (error != -EINVAL) Similar fix already in 6.14.x-HWE kernel, please help to add it to 6.8.0. thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2123815/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
