[Bug 2117338] [NEW] Tremendous amount of apparmor audit spam in the kernel log

[Ivan Yosifov]

Public bug reported:

On xubuntu 25.04 desktop system running xfce, with the following
pipeline:

sudo dmesg -x | egrep -v -e type=1400 -e audit -e type=1107 -e
'kauditd_printk_skb: .* callbacks suppressed' | wc -l

Over just under 48 hours there are *14* total messages NOT related to
apparmor, of ~1000 messages total. The rest are things like:

kern  :notice: [192478.133140] audit: type=1400 audit(1752963712.161:9538): 
apparmor="ALLOWED" operation="file_perm" class="file" profile="Xorg" 
name="/proc/driver/nvidia/params" pid=2552 comm="Xorg" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
kern  :notice: [192478.133142] audit: type=1400 audit(1752963712.161:9539): 
apparmor="ALLOWED" operation="unlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
kern  :notice: [192478.133153] audit: type=1400 audit(1752963712.161:9540): 
apparmor="ALLOWED" operation="symlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="c" 
denied_mask="c" fsuid=0 ouid=0
kern  :notice: [230770.061790] audit: type=1400 audit(1753002004.644:9849): 
apparmor="DENIED" operation="open" class="file" 
profile="snap.firmware-updater.firmware-notifier" 
name="/proc/sys/vm/max_map_count" pid=2036274 comm="firmware-notifi" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
kern  :notice: [214132.665446] audit: type=1400 audit(1752985367.008:9708): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000
kern  :notice: [214132.665498] audit: type=1400 audit(1752985367.008:9709): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000

in colosal ongoing unending amounts. Even if relevant to apparmor
profile development, such logs should not be enabled by default with end
users, as they interfere with basic monitoring of system health and
operations, while not being actionable or important to the end user in
any way. Please disable them by default.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  On xubuntu 25.04 desktop system running xfce, with the following
  pipeline:
  
  sudo dmesg -x | egrep -v -e type=1400 -e audit -e type=1107 -e audit -e
  'kauditd_printk_skb: .* callbacks suppressed' | wc -l
  
  Over just under 48 hours there are *14* total messages NOT related to
- apparmor. The rest are things like:
+ apparmor, of ~1000 messages total. The rest are things like:
  
  kern  :notice: [192478.133140] audit: type=1400 audit(1752963712.161:9538): 
apparmor="ALLOWED" operation="file_perm" class="file" profile="Xorg" 
name="/proc/driver/nvidia/params" pid=2552 comm="Xorg" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  kern  :notice: [192478.133142] audit: type=1400 audit(1752963712.161:9539): 
apparmor="ALLOWED" operation="unlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
  kern  :notice: [192478.133153] audit: type=1400 audit(1752963712.161:9540): 
apparmor="ALLOWED" operation="symlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="c" 
denied_mask="c" fsuid=0 ouid=0
  kern  :notice: [230770.061790] audit: type=1400 audit(1753002004.644:9849): 
apparmor="DENIED" operation="open" class="file" 
profile="snap.firmware-updater.firmware-notifier" 
name="/proc/sys/vm/max_map_count" pid=2036274 comm="firmware-notifi" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  kern  :notice: [214132.665446] audit: type=1400 audit(1752985367.008:9708): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000
  kern  :notice: [214132.665498] audit: type=1400 audit(1752985367.008:9709): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000
  
  in colosal ongoing unending amounts. Even if relevant to apparmor
  profile development, such logs should not be enabled by default with end
  users, as they interfere with basic monitoring of system health and
  operations, while not being actionable or important to the end user in
  any way. Please disable them by default.

** Description changed:

  On xubuntu 25.04 desktop system running xfce, with the following
  pipeline:
  
- sudo dmesg -x | egrep -v -e type=1400 -e audit -e type=1107 -e audit -e
+ sudo dmesg -x | egrep -v -e type=1400 -e audit -e type=1107 -e
  'kauditd_printk_skb: .* callbacks suppressed' | wc -l
  
  Over just under 48 hours there are *14* total messages NOT related to
  apparmor, of ~1000 messages total. The rest are things like:
  
  kern  :notice: [192478.133140] audit: type=1400 audit(1752963712.161:9538): 
apparmor="ALLOWED" operation="file_perm" class="file" profile="Xorg" 
name="/proc/driver/nvidia/params" pid=2552 comm="Xorg" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  kern  :notice: [192478.133142] audit: type=1400 audit(1752963712.161:9539): 
apparmor="ALLOWED" operation="unlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
  kern  :notice: [192478.133153] audit: type=1400 audit(1752963712.161:9540): 
apparmor="ALLOWED" operation="symlink" class="file" profile="Xorg" 
name="/dev/char/195:254" pid=2552 comm="Xorg" requested_mask="c" 
denied_mask="c" fsuid=0 ouid=0
  kern  :notice: [230770.061790] audit: type=1400 audit(1753002004.644:9849): 
apparmor="DENIED" operation="open" class="file" 
profile="snap.firmware-updater.firmware-notifier" 
name="/proc/sys/vm/max_map_count" pid=2036274 comm="firmware-notifi" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  kern  :notice: [214132.665446] audit: type=1400 audit(1752985367.008:9708): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000
  kern  :notice: [214132.665498] audit: type=1400 audit(1752985367.008:9709): 
apparmor="ALLOWED" operation="file_perm" class="file" 
profile="transmission-gtk" 
name=2F686F6D652F6F62656C69782F746F7272656E742F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E20455055422F4C6561726E696E67204F70656E4356203520436F6D707574657220566973696F6E207769746820507974686F6E206279204A6F65204D696E696368696E6F202E2E2E65707562
 pid=629774 comm="transmission-gt" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=1000
  
  in colosal ongoing unending amounts. Even if relevant to apparmor
  profile development, such logs should not be enabled by default with end
  users, as they interfere with basic monitoring of system health and
  operations, while not being actionable or important to the end user in
  any way. Please disable them by default.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2117338

Title:
  Tremendous amount of apparmor audit spam in the kernel log

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2117338/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs