apparmor log overflow on Ubuntu 18.04
Posted: 26 Jan 2019 15:51
I'm observing this with i2p 0.9.38, but it was present on 0.9.97 as well. I'm getting tens of such a messages in my /var/log/syslog file every second:
I'm also attaching my i2p apparmor profiles:
I've tried to include network, line in both profiles in order to explicitly allow network operations, which seems to trigger these log warnings, but no luck. This log activity does not look like expected behavior and leads to noticeably increased CPU usage. Any way to fix this?
Code: Select all
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008816] audit: type=1400 audit(1548515430.099:7666): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008827] audit: type=1400 audit(1548515430.099:7667): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008837] audit: type=1400 audit(1548515430.099:7668): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008862] audit: type=1400 audit(1548515430.099:7669): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008891] audit: type=1400 audit(1548515430.099:7670): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Jan 26 18:10:30 stetzen-ubunru-server kernel: [ 398.008920] audit: type=1400 audit(1548515430.099:7671): apparmor="ALLOWED" operation="recvmsg" profile="system_i2p//null-/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=1528 comm="java" laddr=::ffff:127.0.0.1 lport=31000 faddr=::ffff:127.0.0.1 fport=32000 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
Code: Select all
stetzen@stetzen-ubunru-server:~$ cat /etc/apparmor.d/system_i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et
#include <tunables/global>
profile system_i2p flags=(complain) {
#include <abstractions/i2p>
owner /{,lib/live/mount/overlay/}var/lib/i2p/** rwk,
owner /{,lib/live/mount/overlay/}var/lib/i2p/i2p-config/eepsite/cgi-bin rix,
owner /{,lib/live/mount/overlay/}var/log/i2p/* rw,
owner /{,var/}run/i2p/{i2p,routerjvm}.pid rw,
owner /{,var/}run/i2p/router.ping rw,
network,
# Site-specific additions and overrides. See local/README for details.
#include <local/system_i2p>
}
stetzen@stetzen-ubunru-server:~$ cat /etc/apparmor.d/abstractions/i2p
# Last Modified: Sun Dec 06 12:30:32 2015
# vim:syntax=apparmor et ts=4 sw=4
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
# for launching browswers
#include <abstractions/ubuntu-helpers>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-console-browsers>
network,
# Needed by Java
@{PROC} r,
owner @{PROC}/[0-9]*/ r,
owner @{PROC}/[0-9]*/cgroup r,
owner @{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/status r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/if_inet6 r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/sys/fs/cgroup/** r,
/etc/ssl/certs/java/** r,
/etc/timezone r,
/usr/share/javazi/** r,
/etc/java-*-openjdk/** r,
/usr/lib/jvm/default-java/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/java rix,
/usr/lib/jvm/java-*-openjdk-*/jre/bin/keytool rix,
# Oracle Java is needed on the Raspberry Pi and is included in Raspbian's repositories
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/java rix,
/usr/lib/jvm/jdk-*-oracle-*/jre/bin/keytool rix,
# */client/classes.jsa is only found (and needed) in 32-bit JVMs.
/usr/lib/jvm/java-*-openjdk-*/jre/lib/i386/client/classes.jsa m,
/usr/lib/jvm/java-*-oracle-*/jre/lib/i386/client/classes.jsa m,
# needed for I2P's graphs
/usr/share/java/java-atk-wrapper.jar r,
# I2P specific
/usr/share/i2p/** r,
# Used by some plugins
/usr/share/java/eclipse-ecj-*.jar r,
# Tanuki java wrapper
/etc/i2p/wrapper.config r,
/usr/sbin/wrapper rix,
/usr/share/java/wrapper*.jar r,
# Dependent packages
/usr/share/java/libintl.jar r,
/usr/share/java/glassfish-appserv-jstl.jar r,
/usr/share/maven-repo/jstl/jstl/1.2/jstl-1.2.jar r,
/usr/share/java/gnu-getopt.jar r,
/usr/share/java/gnu-getopt-*.jar r,
/usr/share/java/jetty9-*.jar r,
/usr/share/java/json-simple.jar r,
/usr/share/java/json-simple-*.jar r,
/usr/share/java/jsp-api-*.jar r,
/usr/share/java/servlet-api-*.jar r,
/usr/share/java/standard.jar r,
/usr/share/java/standard-*.jar r,
/usr/share/java/tomcat8-*.jar r,
/usr/share/java/tomcat9-*.jar r,
/usr/share/java/taglibs-standard-*.jar r,
/usr/share/flags/countries/16x11/* r,
# GeoIP data
/usr/share/GeoIP/* r,
# Other /proc
@{PROC}/cpuinfo r,
@{PROC}/net/if_inet6 r,
# 'm' is needed by the I2P-Bote plugin
/{,lib/live/mount/overlay/}tmp/ rwm,
owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/ rwk,
owner /{,lib/live/mount/overlay/}tmp/hsperfdata_*/** rw,
owner /{,lib/live/mount/overlay/}tmp/wrapper* rwk,
owner /{,lib/live/mount/overlay/}tmp/wrapper*/** rw,
# Scrypt used by I2P-Bote
owner /{,lib/live/mount/overlay/}tmp/scrypt* rwk,
owner /{,lib/live/mount/overlay/}tmp/scrypt*/** rw,
# temp dir (service)
owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/ rwm,
owner /{,lib/live/mount/overlay/}tmp/i2p-daemon/** rwkm,
# temp dir (non-service)
owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/ rwm,
owner /{,lib/live/mount/overlay/}tmp/i2p-*.tmp/** rwkm,
# temp dir (Jetty default)
owner /{,lib/live/mount/overlay/}tmp/jetty-*/ rwm,
owner /{,lib/live/mount/overlay/}tmp/jetty-*/** rwkm,
# /graphs in the router console
owner /{,lib/live/mount/overlay/}tmp/imageio[0-9]*.tmp rwk,
# Prevent spamming the logs
deny /dev/tty rw,
deny /{,lib/live/mount/overlay/}var/tmp/ r,
deny @{PROC}/[0-9]*/fd/ r,
deny /usr/sbin/ r,
deny /var/cache/fontconfig/ wk,
# Some versions of the Tanuki wrapper package will try to load these jars but
# they are not needed by I2P. The deny rule here will prevent the logs from
# being spammed.
deny /usr/share/java/hamcrest*.jar r,
deny /usr/share/java/junit*.jar r,