8

Was in my syslog today and noticed that the Google Chrome web browser is create TONS of events that look like this:

Dec  7 13:11:02 mycomp-sys76 kernel: [ 8371.604406] type=1701 audit(1354903862.279:314): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8859 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f8ebb41b205 code=0x50000
Dec  7 13:11:02 mycomp-sys76 kernel: [ 8371.604408] type=1701 audit(1354903862.279:315): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8859 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f8ebb41b205 code=0x50000
Dec  7 13:11:02 mycomp-sys76 kernel: [ 8371.604411] type=1701 audit(1354903862.279:316): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8859 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f8ebb41b205 code=0x50000
Dec  7 13:11:02 mycomp-sys76 kernel: [ 8371.604413] type=1701 audit(1354903862.279:317): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8859 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f8ebb41b205 code=0x50000
Dec  7 13:11:02 mycomp-sys76 kernel: [ 8371.810789] type=1701 audit(1354903862.487:318): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=8868 comm="chrome" reason="seccomp" sig=0 syscall=4 compat=0 ip=0x7f8ebb41b205 code=0x50000

Anybody know what these are and if they are a problem and how to make them go away (without just disabling kernel logging?)

Eric Carvalho
  • 54,385
Dave
  • 3,647

1 Answers1

4

It's just the kernel logging audit events of seccomp from Chrome's sandbox.

From Wikipedia:

seccomp (short for secure computing mode) is a simple sandboxing mechanism for the Linux kernel. It was added in Linux kernel 2.6.12 in March 8, 2005.

It allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL.

In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

Google is exploring using seccomp for sandboxing its Chrome web browser.

As of Chrome version 20, seccomp is used to sandbox Adobe Flash Player. As of Chrome version 23, seccomp is used to sandbox the renderers.

See also:

Eric Carvalho
  • 54,385
  • That is very cool...so there are as many of these seccomp entries as there are chrome tabs/child processes, yes? Any way to turn off these off? – Dave Dec 07 '12 at 21:57
  • I don't know if it's possible to silence these messages, as they're being sent by kernel itself. Maybe rsyslog has some filter capabilities. – Eric Carvalho Dec 09 '12 at 15:37
  • you can filter them pretty easily, on my system I made a /etc/rsyslog.d/30-seccomp.conf file with the contents of if $msg contains ' comm="chrom' then /var/log/chrome-seccomp.log 2 & ~ make sure the & ~ is on the second line. – EdgeCaseBerg Jan 14 '15 at 16:23