New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 659422 link

Starred by 2 users
Status: WontFix
Owner:
justincarlson@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
adlr@chromium.org
briannorris@chromium.org
rickyz@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

cupsd seccomp config

Project Member Reported by skau@chromium.org, Oct 26 2016 
Trying to add a printer to CUPS.  Looks like we need ioctl.  Unsure if this only occurs with '-m everywhere' configurations.

2016-10-25T18:03:00.944917-07:00 WARNING cupsd[30649]: libminijail[1]: logging seccomp filter failures
2016-10-25T18:03:01.065661-07:00 NOTICE kernel: [110958.348689] audit: type=1400 audit(1477443781.064:366): avc:  denied  { ioctl } for  pid=3787 comm="netfilter-queue" path="socket:[305170]" dev="sockfs" ino=305170 ioctlcmd=8910 scontext=u:r:chromeos:s0 tcontext=u:r:chromeos:s0 tclass=unix_dgram_socket permissive=1
2016-10-25T18:03:01.065694-07:00 NOTICE kernel: [110958.349047] audit: type=1400 audit(1477443781.064:367): avc:  denied  { ioctl } for  pid=3787 comm="netfilter-queue" path="socket:[305172]" dev="sockfs" ino=305172 ioctlcmd=8910 scontext=u:r:chromeos:s0 tcontext=u:r:chromeos:s0 tclass=unix_dgram_socket permissive=1
2016-10-25T18:03:07.982525-07:00 NOTICE kernel: [110965.265291] audit: type=1400 audit(1477443787.981:368): avc:  denied  { ioctl } for  pid=3787 comm="netfilter-queue" path="socket:[304747]" dev="sockfs" ino=304747 ioctlcmd=8910 scontext=u:r:chromeos:s0 tcontext=u:r:chromeos:s0 tclass=unix_dgram_socket permissive=1

Comment 1 by briannorris@chromium.org, Oct 26 2016

Cc: rickyz@chromium.org
Those 'audit' warnings are misleading I think. Ask the security team about it, but they've been spamming our logs for the longest time now. (I really wish they'd fix it.) They aren't seccomp warnings; I think they're SELinux.

AFAICT, the 'permissive=1' means that it's not actually rejecting anything. It's just annoying everyone instead.

Comment 2 by skau@chromium.org, Oct 26 2016

Labels: -Pri-2 Pri-3
I've taken a closer look and it seems like this might occur when the cups daemon starts.  But it doesn't seem to be causing problems.  Lowering priority.

Comment 3 by thestig@chromium.org, Oct 28 2016 

I don't think this a problem. The cupsd (PID=30649) message just means libminijail has the seccomp_filter_logging flag flipped on.

The audit messages are for PID=3787, which is probably something else entirely?

Comment 4 by weifangsun@chromium.org, Nov 4 2016

Status: Assigned (was: Untriaged)

Comment 5 by justincarlson@chromium.org, Nov 11 2016

Status: WontFix (was: Assigned)
Looking at this some more, I think this is a red herring.  We should re-open if we find something that's actually getting in the way of functionality.

Sign in to add a comment