apparmor log overflow on Ubuntu 18.04

I2P router issues
Post Reply
biochemist
Posts: 2
Joined: 19 Jan 2019 14:45

apparmor log overflow on Ubuntu 18.04

Post by biochemist »

I'm observing this with i2p 0.9.38, but it was present on 0.9.97 as well. I'm getting tens of such a messages in my /var/log/syslog file every second:

Code: Select all

Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008816] audit: type=1400 audit(1548515430.099:7666): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008827] audit: type=1400 audit(1548515430.099:7667): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008837] audit: type=1400 audit(1548515430.099:7668): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008862] audit: type=1400 audit(1548515430.099:7669): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008891] audit: type=1400 audit(1548515430.099:7670): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [  398.008920] audit: type=1400 audit(1548515430.099:7671): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
I'm also attaching my i2p apparmor profiles:

Code: Select all

stetzen@stetzen-ubunru-server:~$ cat /etc/apparmor.d/system_i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et
#include <tunables/global>

profile system_i2p flags=(complain) {
  #include <abstractions/i2p>

  owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwk,
  owner /{,lib/live/mount/overlay/}var/lib/i2p/i2p-config/eepsite/cgi-bin rix,
  owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,

  owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
  owner /{,var/}run/i2p/router.ping rw,
  network,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_i2p>
}
stetzen@stetzen-ubunru-server:~$ cat /etc/apparmor.d/abstractions/i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et ts=4 sw=4

  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>

  # for launching browswers
  #include <abstractions/ubuntu-helpers>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>
  network,

  # Needed by Java
  @{PROC}                                                 r,
  owner @{PROC}/[0-9]*/                                   r,
  owner @{PROC}/[0-9]*/cgroup                             r,
  owner @{PROC}/[0-9]*/mountinfo                          r,
  owner @{PROC}/[0-9]*/status                             r,
  @{PROC}/[0-9]*/net/ipv6_route                           r,
  @{PROC}/[0-9]*/net/if_inet6                             r,
  /sys/devices/system/cpu/                                r,
  /sys/devices/system/cpu/**                              r,
  /sys/fs/cgroup/**                                       r,

  /etc/ssl/certs/java/**                                  r,
  /etc/timezone                                           r,
  /usr/share/javazi/**                                    r,

  /etc/java-*-openjdk/**                                  r,
  /usr/lib/jvm/default-java/jre/bin/java                  rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,

  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,

  # */client/classes.jsa is only found (and needed) in 32-bit JVMs.
  /usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
  /usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,

  # needed for I2P's graphs
  /usr/share/java/java-atk-wrapper.jar                    r,

  # I2P specific
  /usr/share/i2p/**                                       r,

  # Used by some plugins
  /usr/share/java/eclipse-ecj-*.jar                       r,

  # Tanuki java wrapper
  /etc/i2p/wrapper.config                                 r,
  /usr/sbin/wrapper                                       rix,
  /usr/share/java/wrapper*.jar                            r,

  # Dependent packages
  /usr/share/java/libintl.jar                             r,
  /usr/share/java/glassfish-appserv-jstl.jar              r,
  /usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar        r,
  /usr/share/java/gnu-getopt.jar                          r,
  /usr/share/java/gnu-getopt-*.jar                        r,
  /usr/share/java/jetty9-*.jar                            r,
  /usr/share/java/json-simple.jar                         r,
  /usr/share/java/json-simple-*.jar                       r,
  /usr/share/java/jsp-api-*.jar                           r,
  /usr/share/java/servlet-api-*.jar                       r,
  /usr/share/java/standard.jar                            r,
  /usr/share/java/standard-*.jar                          r,
  /usr/share/java/tomcat8-*.jar                           r,
  /usr/share/java/tomcat9-*.jar                           r,
  /usr/share/java/taglibs-standard-*.jar                  r,
  /usr/share/flags/countries/16x11/*                      r,

  # GeoIP data
  /usr/share/GeoIP/*                                      r,

  # Other /proc
  @{PROC}/cpuinfo                                         r,
  @{PROC}/net/if_inet6                                    r,

  # 'm' is needed by the I2P-Bote plugin
  /{,lib/live/mount/overlay/}tmp/                         rwm,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/      rwk,
  owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/**    rw,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*           rwk,
  owner /{,lib/live/mount/overlay/}tmp/wrapper*/**        rw,
  # Scrypt used by I2P-Bote
  owner /{,lib/live/mount/overlay/}tmp/scrypt*            rwk,
  owner /{,lib/live/mount/overlay/}tmp/scrypt*/**         rw,

  # temp dir (service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/        rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/**      rwkm,
  # temp dir (non-service)
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/         rwm,
  owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/**       rwkm,
  # temp dir (Jetty default)
  owner /{,lib/live/mount/overlay/}tmp/jetty-*/           rwm,
  owner /{,lib/live/mount/overlay/}tmp/jetty-*/**         rwkm,

  # /graphs in the router console
  owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp  rwk,

  # Prevent spamming the logs
  deny /dev/tty                                           rw,
  deny /{,lib/live/mount/overlay/}var/tmp/                r,
  deny @{PROC}/[0-9]*/fd/                                 r,
  deny /usr/sbin/                                         r,
  deny /var/cache/fontconfig/                             wk,

  # Some versions of the Tanuki wrapper package will try to load these jars but
  # they are  not needed by I2P. The deny rule here will prevent the logs from
  # being spammed.
  deny /usr/share/java/hamcrest*.jar                      r,
  deny /usr/share/java/junit*.jar                         r,
I've tried to include network, line in both profiles in order to explicitly allow network operations, which seems to trigger these log warnings, but no luck. This log activity does not look like expected behavior and leads to noticeably increased CPU usage. Any way to fix this?
User avatar
zzz
Posts: 155
Joined: 31 Mar 2018 13:15

Re: apparmor log overflow on Ubuntu 18.04

Post by zzz »

Thanks for the report.
For .38 I worked on http://trac.i2p2.i2p/ticket/2319 to fix up the AppArmor profile.
mhatta is helping with testing.
Unfortunately, the two of us put together know almost nothing about AppArmor.
As you can see in the ticket, the profile is only in "complain", not "enforce" mode, so it's not actually doing anything now other than logging. So you can just disable it, if you can't fix it, but I don't know how to disable.
Our goal is to change it to enforce for .39, but only if we can knock out the rest of the problems. If you figure it out, let us know here or on the ticket.
thanks
biochemist
Posts: 2
Joined: 19 Jan 2019 14:45

Re: apparmor log overflow on Ubuntu 18.04

Post by biochemist »

OK, now I feel stupid, sorry for distracting you from the development! I've found the solution for my specific problem, although it may not be the most secure or universal one. Basically, I have an Oracle JRE installed, which (in my system) is located in /usr/lib/jvm/java-8-oracle/jre/bin/java. That means, that java rules in abstraction/i2p profile listed bellow

Code: Select all

  /etc/java-*-openjdk/**                                  r,
  /usr/lib/jvm/default-java/jre/bin/java                  rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/java              rix,
  /usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool           rix,

  # Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/java                rix,
  /usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool             rix,
were not applied to the child java process, so that it was running with the autogenerated null profile, which is always in complain mode about everything. Adding a rix rule for my specific java path (looks like

Code: Select all

  /usr/lib/jvm/java-*-oracle*/jre/bin/java                rix,
) together with the

Code: Select all

network,
rule I've added earlier have fixed the issue completely, and I'm afraid I'm happy with it now, so I will not be doing any modifications to that on my system atm. But I feel like the java path need to be listed in even more universal manner (maybe, /usr/lib/jvm/*/jre/bin/java ?), and I also feel like allowing i2p and its child java process a full networking access like I did is not exactly secure, so probably it should request only the network operations it actually needs.
User avatar
zzz
Posts: 155
Joined: 31 Mar 2018 13:15

Re: apparmor log overflow on Ubuntu 18.04

Post by zzz »

OK, thanks for the info.

I do see that we need to add oracle to the JVM options, so I'll do that.
Post Reply