Unwanted activation of root-processes getting highly activated

Unwanted activation of root-processes getting highly activated

[secret]

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Re: Unwanted activation of root-processes getting highly activated

[Theodore Ts'o]

On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:
> Date: 08.10.2021
> 
> Subject/Betreff: Unwanted activation of root-processes reading and writing out
> the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
> usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
> Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
> Überschreiben beliebiger Dateien
> 
> Hi, Greg, dear Linux experts and friends,
> 
> this is one of the most dangerous and worst things, Linux can happen!
> Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
> and higher, additional remark from 10.08.2021), there still is a problem with
> unexpectedly activated, highly active root-processes (making the tower-LED
> causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
> madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
> read out and overwritten!
> 
> The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
> root-processes are named
> 
> kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
> kworker/0:1H-kblockd
> dmcrypt_write/2 and
> jbd2/dm2--8

Activity by these kernel threads indicate that some userspace program
running on your system is reading (and in the case of the
dmcrypt_write and jbd2 kernel threads, writing) data to your hard
drive.  They are a symptom, not the cause of whatever is causing the
large amount of activity on your SSD/hard drive.

It is not something that can be "patched" in the kernel.  It is an
indication of some program (or possibly malware) running on your
system is doing a lot of file I/O.

It is possible that as a result of some web site that you visited, it
is causing the web browser ("firejail", which sounds like the firefox
browser running some kind of security sandbox) to do a lot of I/O.  So
the first thing you might try is to exit the web browser and see that
causes the I/O to abate.  If it does, and if it starts up again when
you start the web browser and the web browser is not open on any web
pages, then you might have some misbehaving browser extension that
somehow got installed, and you might want to try clearing your browser
profile and uninstalling all of your browser extensions.

If exiting the browser does not cause the SSD/HDD activity to stop
within half a minute or so, then some other userspace program must be
causing it.  It is possible that this might be some background system
indexing (for example, rebuilding the locatedb), although normally if
you've left the system up at night, this sort of activity is done when
the system is idle typically in the wee hours of the morning.

But it is also possible that you have some kind of malware installed
on your system, in which case the only good solution is to reinstall
it.  In any case, this is not something that kernel developers can
help you with.  Perhaps if there is a local Linux User's Group that
you can contact for more assistance, they can help you.  If not,
you'll need to find someone who can help you with Linux system
administration.

Cheers,

						- Ted

Re: Unwanted activation of root-processes getting highly activated

[Randy Dunlap]

On 10/9/21 7:15 AM, Theodore Ts'o wrote:
> On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:
>> Date: 08.10.2021
>>
>> Subject/Betreff: Unwanted activation of root-processes reading and writing out
>> the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
>> usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
>> Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
>> Überschreiben beliebiger Dateien
>>
>> Hi, Greg, dear Linux experts and friends,
>>
>> this is one of the most dangerous and worst things, Linux can happen!
>> Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
>> and higher, additional remark from 10.08.2021), there still is a problem with
>> unexpectedly activated, highly active root-processes (making the tower-LED
>> causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
>> madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
>> read out and overwritten!
>>
>> The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
>> root-processes are named
>>
>> kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
>> kworker/0:1H-kblockd
>> dmcrypt_write/2 and
>> jbd2/dm2--8
> 
> Activity by these kernel threads indicate that some userspace program
> running on your system is reading (and in the case of the
> dmcrypt_write and jbd2 kernel threads, writing) data to your hard
> drive.  They are a symptom, not the cause of whatever is causing the
> large amount of activity on your SSD/hard drive.
> 
> It is not something that can be "patched" in the kernel.  It is an
> indication of some program (or possibly malware) running on your
> system is doing a lot of file I/O.
> 
> It is possible that as a result of some web site that you visited, it
> is causing the web browser ("firejail", which sounds like the firefox
> browser running some kind of security sandbox) to do a lot of I/O.  So
> the first thing you might try is to exit the web browser and see that
> causes the I/O to abate.  If it does, and if it starts up again when
> you start the web browser and the web browser is not open on any web
> pages, then you might have some misbehaving browser extension that
> somehow got installed, and you might want to try clearing your browser
> profile and uninstalling all of your browser extensions.
> 
> If exiting the browser does not cause the SSD/HDD activity to stop
> within half a minute or so, then some other userspace program must be
> causing it.  It is possible that this might be some background system
> indexing (for example, rebuilding the locatedb), although normally if
> you've left the system up at night, this sort of activity is done when
> the system is idle typically in the wee hours of the morning.
> 
> But it is also possible that you have some kind of malware installed
> on your system, in which case the only good solution is to reinstall
> it.  In any case, this is not something that kernel developers can
> help you with.  Perhaps if there is a local Linux User's Group that
> you can contact for more assistance, they can help you.  If not,
> you'll need to find someone who can help you with Linux system
> administration.
> 
> Cheers,
> 						- Ted

Hi,
Did you try any of what Ted suggested?
and what happened when you did that?

-- 
~Randy

Unwanted activation of root-processes getting highly activated

[secret]

Such processes get always activated. But I have never seen them in such
dangerous high activity as described below!

Regards,
Andreas (Gooken)

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Unwanted activation of root-processes getting highly activated

[secret]

Hi again,

concerns: Kernel-5.4.130 - Kernel-5.4.152

Below problem must have to do with the installation of a new kernel-version.

I removed the old kernel(-version) and its modules completely from
SSD/harddisk before the system got restarted, so that listed root-processes
always act hyperactive whenever Pale Moon (within sandbox firejail and Tor)
get started.

So this hint might help you to patch the kernel.

Regards,
Andreas
(Gooken)

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Unwanted activation of root-processes getting highly activated

[secret]

Hi again,

concerns: Kernel-5.4.130 - Kernel-5.4.152

Below problem must have to do with the installation of a new kernel-version.

I removed the old kernel(-version) and its modules completely from
SSD/harddisk, before the system got restarted, so that listed root-processes
always act hyperactive whenever Pale Moon (within sandbox firejail and Tor)
gets started.

So this might be a good hint for the belonging patch of this kernel.

Regards,
Andreas
(Gooken)

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Unwanted activation of root-processes getting highly activated

[secret]

Oh, no, it does not have to do with the kernel-installation as I told you my
Email before for it happened again this day!

Regards
Andreas

Hi again,

concerns: Kernel-5.4.130 - Kernel-5.4.152

Below problem must have to do with the installation of a new kernel-version.

I removed the old kernel(-version) and its modules completely from
SSD/harddisk, before the system got restarted, so that listed root-processes
always act hyperactive whenever Pale Moon (within sandbox firejail and Tor)
gets started.

So this might be a good hint for the belonging patch of this kernel.

Regards,
Andreas
(Gooken)

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Unwanted activation of root-processes getting highly activated

[secret]

10.27.2021
Hello, today it manages us (Gooken) to prevent the highly active kernel-
processes from above after a look into the home-directory of tor
(/home/surfuser).
There the size of a file increases all the times during the activation of tor
surrounded by firejail (that causes the high activity of the kernel-
processes), it is named:

cached-microdesc-consensus

and its size was incredible high (much over 100 MB)!

It prevents Tor from building up any connection, so I had to wait up to 20
minutes.

Deleting it did not help: This file occured and larges its size again.

So we set integrity on it (this file) by "chattr +i";. Now the problem
described next indeed got solved, Tor immediately builds up connections,
kernel-processes activity lowered to the current percentage far below 10
percent and the tower-LED for readwrites stopped blinking,
but nevertheless this is not really a good solution,
tor or firejail and kernel (here 5.4) of course still have to get patched ! (
!!! )

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken