Repeated audit error on snap run

RSATom · June 27, 2021, 2:31pm

I’ve created some snap based on GStreamer and when running it on Raspberry Pi I see huge amount of repeated audit errors in /var/log/kern.log and almost 100% CPU load

Jun 27 15:06:30 raspberrypi kernel: [13005.216236] audit: type=1326 audit(1624802790.096:29538525): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1161 comm="task1" exe="/snap/youtube-live-streamer/20/opt/youtube-live-streamer/bin/YouTubeLiveStreamer" sig=0 arch=40000028 syscall=414 compat=0 ip=0x76af0be6 code=0x50000

I’ve tryed to find out what is 414 call but no luck:

pi@raspberrypi:~ $ scmp_sys_resolver 414
UNKNOWN

pi@raspberrypi:~ $ ausyscall 414
Unknown syscall 414 using armeb lookup table

How I can find out exact reason of that problem?

lucyllewy · June 28, 2021, 12:33am

That’s ppoll_time64. The seccomp system will cause the app to see a “permission denied” response and might not be an issue other than noise in the logs.

I’ve moved this thread to the snapd topic so that a snapd developer can weigh-in about whether this syscall should be added to the whitelist or an appropriate interface.

RSATom · June 28, 2021, 2:06am

Thank you for assistance!

Do you know any way to workaround this issue? I can’t just ignore it since:

It produces huge amount of lines in kern.log (megabytes in a minute)
It gives ~280% for main executable + ~80% for auditd + ~60% for kauditd of CPU load (in % of top utility on Raspberry PI 2)
if I use the same snap with --devmode it takes only ~20% of CPU load

Thanks in advance.

ogra · June 28, 2021, 7:46am

what OS are you running there exactly (armeb is a very uncommon architecture name) ? can you give the full output of snap version

mborzecki · June 28, 2021, 7:49am

FWIW ppoll_time64 has been part of the default template since snapd 2.45, which was tagged in May 2020.

RSATom · June 28, 2021, 8:00am

It’s the latest Raspberry Pi OS Lite (Raspbian previously)

ogra · June 28, 2021, 8:01am

and the output of snap version ?

RSATom · June 28, 2021, 8:02am

pi@raspberrypi:~ $ snap version
snap      2.37.4-1+rpi1
snapd     2.37.4-1+rpi1
series    16
raspbian  10
kernel    5.10.17-v7+

ogra · June 28, 2021, 8:13am

There you go, your snapd is very outdated … i’m not sure if RaspiOS supports re-exec but you could try installing the snapd snap to get to a newer version.

RSATom · June 28, 2021, 8:14am

So it just Debian updating too slowly, right?

ogra · June 28, 2021, 8:20am

well, no idea what the update philosophy of RaspiOS is … but it is likely they take a snapshot of the debian archive at some point in time and then stabilize that for their hacks and patches … so it might not get updated at all … you got to ask them

but try installing the snapd snap and see if it re-execs (current snapd is at 2.51)

RSATom · June 28, 2021, 8:22am

pi@raspberrypi:~ $ sudo snap install snapd
error: cannot install "snapd": cannot install snapd snap on a model without a base snap yet

Is it what you mean?

ogra · June 28, 2021, 8:24am

try snap install core18 and then snap install snapd so it finds a base snap first …

RSATom · June 28, 2021, 8:27am

Unfortunately no luck

pi@raspberrypi:~ $ sudo snap install core18
core18 20210611 from Canonical✓ installed
pi@raspberrypi:~ $ sudo snap install snapd
error: cannot install "snapd": cannot install snapd snap on a model without a base snap yet

RSATom · June 28, 2021, 8:27am

So it looks like I have to try Ubuntu distro…

ogra · June 28, 2021, 8:31am

well, pehaps i’m recommending something wrong here, lets see if @mborzecki has another hint … i know using the snapd snap should work on plain debian …

mborzecki · June 28, 2021, 8:55am

I think reexec should be supported on debian on arm. Maybe raspbian changes some things under the hood that break it.

Can you install the hello-world snap and try running: SNAPD_DEBUG=1 snap run hello-world and then attach the output?

Next, please run and attach the output of cat /etc/os-release.

RSATom · June 28, 2021, 9:28am

Here it is https://gist.github.com/RSATom/f47ce32339f1bfacc971cbaa6d2ba035

mborzecki · June 28, 2021, 9:30am

pi@raspberrypi:~ $ SNAPD_DEBUG=1 snap run hello-world 
2021/06/28 10:26:03.933666 cmd_linux.go:212: DEBUG: restarting into "/snap/core/current/usr/bin/snap"

So the snap command reexecs into the core snap. Can you do snap list core? And maybe followed by snap refresh core, and finally run snap version and attach the output?

RSATom · June 28, 2021, 9:33am

pi@raspberrypi:~ $ snap list core
Name  Version  Rev    Tracking       Publisher   Notes
core  16-2.51  11191  latest/stable  canonical✓  core
pi@raspberrypi:~ $ sudo snap refresh core
snap "core" has no updates available
pi@raspberrypi:~ $ snap version
snap      2.51
snapd     2.51
series    16
raspbian  10
kernel    5.10.17-v7+