Repeated audit error on snap run

I’ve created some snap based on GStreamer and when running it on Raspberry Pi I see huge amount of repeated audit errors in /var/log/kern.log and almost 100% CPU load

Jun 27 15:06:30 raspberrypi kernel: [13005.216236] audit: type=1326 audit(1624802790.096:29538525): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1161 comm="task1" exe="/snap/youtube-live-streamer/20/opt/youtube-live-streamer/bin/YouTubeLiveStreamer" sig=0 arch=40000028 syscall=414 compat=0 ip=0x76af0be6 code=0x50000

I’ve tryed to find out what is 414 call but no luck:

pi@raspberrypi:~ $ scmp_sys_resolver 414
pi@raspberrypi:~ $ ausyscall 414
Unknown syscall 414 using armeb lookup table

How I can find out exact reason of that problem?

That’s ppoll_time64. The seccomp system will cause the app to see a “permission denied” response and might not be an issue other than noise in the logs.

I’ve moved this thread to the snapd topic so that a snapd developer can weigh-in about whether this syscall should be added to the whitelist or an appropriate interface.

1 Like

Thank you for assistance!

Do you know any way to workaround this issue? I can’t just ignore it since:

  1. It produces huge amount of lines in kern.log (megabytes in a minute)
  2. It gives ~280% for main executable + ~80% for auditd + ~60% for kauditd of CPU load (in % of top utility on Raspberry PI 2)
  3. if I use the same snap with --devmode it takes only ~20% of CPU load

Thanks in advance.

what OS are you running there exactly (armeb is a very uncommon architecture name) ? can you give the full output of snap version

FWIW ppoll_time64 has been part of the default template since snapd 2.45, which was tagged in May 2020.

1 Like

It’s the latest Raspberry Pi OS Lite (Raspbian previously)

and the output of snap version ?

pi@raspberrypi:~ $ snap version
snap      2.37.4-1+rpi1
snapd     2.37.4-1+rpi1
series    16
raspbian  10
kernel    5.10.17-v7+

There you go, your snapd is very outdated … i’m not sure if RaspiOS supports re-exec but you could try installing the snapd snap to get to a newer version.

1 Like

So it just Debian updating too slowly, right?

well, no idea what the update philosophy of RaspiOS is … but it is likely they take a snapshot of the debian archive at some point in time and then stabilize that for their hacks and patches … so it might not get updated at all … you got to ask them :slight_smile:

but try installing the snapd snap and see if it re-execs (current snapd is at 2.51)

1 Like
pi@raspberrypi:~ $ sudo snap install snapd
error: cannot install "snapd": cannot install snapd snap on a model without a base snap yet

Is it what you mean?

try snap install core18 and then snap install snapd so it finds a base snap first …

1 Like

Unfortunately no luck :disappointed:

pi@raspberrypi:~ $ sudo snap install core18
core18 20210611 from Canonical✓ installed
pi@raspberrypi:~ $ sudo snap install snapd
error: cannot install "snapd": cannot install snapd snap on a model without a base snap yet

So it looks like I have to try Ubuntu distro…

well, pehaps i’m recommending something wrong here, lets see if @mborzecki has another hint … i know using the snapd snap should work on plain debian …

1 Like

I think reexec should be supported on debian on arm. Maybe raspbian changes some things under the hood that break it.

Can you install the hello-world snap and try running: SNAPD_DEBUG=1 snap run hello-world and then attach the output?

Next, please run and attach the output of cat /etc/os-release.

1 Like

Here it is

pi@raspberrypi:~ $ SNAPD_DEBUG=1 snap run hello-world 
2021/06/28 10:26:03.933666 cmd_linux.go:212: DEBUG: restarting into "/snap/core/current/usr/bin/snap"

So the snap command reexecs into the core snap. Can you do snap list core? And maybe followed by snap refresh core, and finally run snap version and attach the output?

1 Like
pi@raspberrypi:~ $ snap list core
Name  Version  Rev    Tracking       Publisher   Notes
core  16-2.51  11191  latest/stable  canonical✓  core
pi@raspberrypi:~ $ sudo snap refresh core
snap "core" has no updates available
pi@raspberrypi:~ $ snap version
snap      2.51
snapd     2.51
series    16
raspbian  10
kernel    5.10.17-v7+