Sorry AppArmor auditing will not be disabled by default. Generally it
indicates a violation of security policy. Which really does need to be
audited. However we can split policy into two broad classes, policy that
is being enforced, and policy that is in complain/allow/learning mode.
Unfortunately at this time auditing of the two classes can not be
controlled separately at this time. Disabling auditing of the complain
messages also disables the policy violation denials.
Generally speaking profiles should not be shipped in complain mode.
Complain mode as you have noted is for profile development. Some times a
profile maybe shipped in complain mode so it can have a cycle in the
real world, to gain additional feedback, before being put into enforce
mode. This is done in an effort to not break peoples systems. When this
is done the profile should be well enough tested that on most systems it
does not generate any messages. However when it does, as you have noted,
it can be rather noisy.
The messages are actionable by a user with admin privileges. The user
can manually generate profile rules from the log message, or can use the
apparmor utils to do it for them. From the utils the user has two
choices, apparmor-notify, or aa-genprof/aa-logprof in the apparmor-utils
package. Of the two apparmor-notify is more average user friendly, while
aa-genprof/aa-logprof are for interactive profile development.
We are aware that apparmor complain mode logging, on user's system can
result in a bad experience. There is work going on to address this by
allowing for better message deduplication, storing of complain messages
to an alternate stream other than the audit logs, and also adding the
ability to quiet complain messages separate from denied messages.
In the mean time you have multiple options to reduce the log messages
you are seeing.
1. You can quiet apparmor logging
echo -n > /sys/module/apparmor/parameters/audit
Which as previously noted this will also quiet the denied messages.
This can also be added to your grub configuration by adding the
parameter
apparmor.audit=quiet
2. You can update the profile based on the messages.
2.1 install apparmor-notify
$ cp /etc/apparmor/notify.conf ~/.config/apparmor/
edit ~/.config/apparmor/notify.conf to comment out
filter.profile="^(?!snap[._-])"
filter.operation="userns"
restart aa-notify, or log out and log back in.
The editing of appparmor-notify's config, is an unfortunate
necessity atm, as its default config is set to trigger only for
unprivileged user namespace denials.
2.2 install apparmor-utils
From a terminal run
sudo aa-logprof -a
to allow everything in the logs
3. You can enforce the profile
This is not guaranteed to reduce the amount of messages without updating
the profile, as applications may continue running when accesses are
denied, but it does generally reduce the volume of messages.
If you have apparmor-utils install you can do
sudo aa-enforce application-name
4 . You can remove the profile in question.
sudo apparmor_parser -r /etc/apparmor.d/profile_file
although this may have unintended consequences as profiles do have
interdependencies, so that removing one may result in other things breaking.
5. If you have auditd installed you can use audit filter rules to filter
out the apparmor="ALLOWED" messages.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2117338
Title:
Tremendous amount of apparmor audit spam in the kernel log
Status in apparmor package in Ubuntu:
New
Bug description:
On xubuntu 25.04 desktop system running xfce, with the following
pipeline:
sudo dmesg -x | egrep -v -e type=1400 -e audit -e type=1107 -e
'kauditd_printk_skb: .* callbacks suppressed' | wc -l
Over just under 48 hours there are *14* total messages NOT related to
apparmor, of ~1000 messages total. The rest are things like:
kern :notice: [192478.133140] audit: type=1400 audit(1752963712.161:9538):
apparmor="ALLOWED" operation="file_perm" class="file" profile="Xorg"
name="/proc/driver/nvidia/params" pid=2552 comm="Xorg" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
kern :notice: [192478.133142] audit: type=1400 audit(1752963712.161:9539):
apparmor="ALLOWED" operation="unlink" class="file" profile="Xorg"
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="d"
denied_mask="d" fsuid=0 ouid=0
kern :notice: [192478.133153] audit: type=1400 audit(1752963712.161:9540):
apparmor="ALLOWED" operation="symlink" class="file" profile="Xorg"
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="c"
denied_mask="c" fsuid=0 ouid=0
kern :notice: [230770.061790] audit: type=1400 audit(1753002004.644:9849):
apparmor="DENIED" operation="open" class="file"
profile="snap.firmware-updater.firmware-notifier"
name="/proc/sys/vm/max_map_count" pid=2036274 comm="firmware-notifi"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
kern :notice: [214132.665446] audit: type=1400 audit(1752985367.008:9708):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="transmission-gtk"
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000
kern :notice: [214132.665498] audit: type=1400 audit(1752985367.008:9709):
apparmor="ALLOWED" operation="file_perm" class="file"
profile="transmission-gtk"
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000
in colosal ongoing unending amounts. Even if relevant to apparmor
profile development, such logs should not be enabled by default with
end users, as they interfere with basic monitoring of system health
and operations, while not being actionable or important to the end
user in any way. Please disable them by default.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2117338/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
