[Bug 2064096] Re: Services fail to start in noble deployed with TPM+FDE

Wed, 22 May 2024 07:45:45 -0700 

I have verified the fix according to the test plan above, using
255.4-1ubuntu8.1 from noble-proposed. Note, as I mentioned in an earlier
comment, this fix is NOT available on Desktop with TPM FDE until the
appropriate snap is rebuilt.

I have previously prepared a noble VM, and installed dracut for
generating the initrd, which means running systemd in the initrd.
Currently, I can see the AppArmor denials for rsyslog:

ubuntu@ubuntu:~$ sudo dmesg | grep rsyslog
[    2.816998] systemd[1]: unit_file_build_name_map: normal unit file: 
/usr/lib/systemd/system/rsyslog.service
[    5.588869] audit: type=1400 audit(1716388183.334:149): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" name="rsyslogd" pid=993 comm="apparmor_parser"
[    5.676353] audit: type=1400 audit(1716388183.422:150): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/notify" pid=1055 comm="rsyslogd" 
requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[    5.676388] audit: type=1400 audit(1716388183.422:151): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[    5.676407] audit: type=1400 audit(1716388183.422:152): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[    5.676425] audit: type=1400 audit(1716388183.422:153): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[    5.676440] audit: type=1400 audit(1716388183.422:154): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   95.610731] audit: type=1400 audit(1716388273.356:166): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=1055 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   95.974029] audit: type=1400 audit(1716388273.719:167): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" name="rsyslogd" pid=2072 comm="apparmor_parser"
[   96.010658] audit: type=1400 audit(1716388273.756:168): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/notify" pid=2073 comm="rsyslogd" 
requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   96.010664] audit: type=1400 audit(1716388273.756:169): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   96.010666] audit: type=1400 audit(1716388273.756:170): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   96.010669] audit: type=1400 audit(1716388273.756:171): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
[   96.010670] audit: type=1400 audit(1716388273.756:172): apparmor="DENIED" 
operation="sendmsg" class="file" info="Failed name lookup - disconnected path" 
error=-13 profile="rsyslogd" name="systemd/journal/dev-log" pid=2073 
comm="rsyslogd" requested_mask="w" denied_mask="w" fsuid=102 ouid=0
ubuntu@ubuntu:~$ apt policy systemd
systemd:
  Installed: 255.4-1ubuntu8
  Candidate: 255.4-1ubuntu8
  Version table:
     255.4-1ubuntu8.1 100
        100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
 *** 255.4-1ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status


Now, I install systemd from noble-proposed, and then re-generate the initrd so 
that the patched systemd is in the initrd:

ubuntu@ubuntu:~$ sudo apt install systemd -y -t noble-proposed
[ ... ]
ubuntu@ubuntu:~$ sudo dracut --force
dracut[I]: Executing: /usr/bin/dracut --force
dracut[I]: Module 'mksh' will not be installed, because command 'mksh' could 
not be found!
dracut[I]: Module 'warpclock' will not be installed, because command 'hwclock' 
could not be found!
dracut[I]: Module 'systemd-pcrphase' will not be installed, because command 
'/usr/lib/systemd/systemd-pcrphase' could not be found!
dracut[I]: Module 'systemd-timesyncd' will not be installed, because command 
'/usr/lib/systemd/systemd-timesyncd' could not be found!
dracut[I]: Module 'modsign' will not be installed, because command 'keyctl' 
could not be found!
dracut[I]: Module 'dbus-broker' will not be installed, because command 
'dbus-broker' could not be found!
dracut[I]: Module 'rngd' will not be installed, because command 'rngd' could 
not be found!
dracut[I]: Module 'plymouth' will not be installed, because command 
'plymouth-set-default-theme' could not be found!
dracut[I]: Module 'btrfs' will not be installed, because command 'btrfs' could 
not be found!
dracut[I]: Module 'dmraid' will not be installed, because command 'dmraid' 
could not be found!
dracut[I]: Module 'multipath' will not be installed, because command 
'multipath' could not be found!
dracut[I]: Module 'pcsc' will not be installed, because command 'pcscd' could 
not be found!
dracut[I]: Module 'tpm2-tss' will not be installed, because command 'tpm2' 
could not be found!
dracut[I]: Module 'nvmf' will not be installed, because command 'nvme' could 
not be found!
dracut[I]: Module 'biosdevname' will not be installed, because command 
'biosdevname' could not be found!
dracut[I]: Module 'memstrack' will not be installed, because command 
'memstrack' could not be found!
dracut[I]: memstrack is not available
dracut[I]: If you need to use rd.memdebug>=4, please install memstrack and 
procps-ng
dracut[I]: *** Including module: systemd ***
dracut[I]: *** Including module: systemd-initrd ***
dracut[I]: *** Including module: console-setup ***
dracut[I]: *** Including module: i18n ***
dracut[I]: *** Including module: crypt ***
dracut[I]: *** Including module: dm ***
dracut[I]: *** Including module: kernel-modules ***
dracut[I]: *** Including module: kernel-modules-extra ***
dracut[I]: *** Including module: lvm ***
dracut[I]: *** Including module: mdraid ***
dracut[I]: *** Including module: nvdimm ***
dracut[I]: *** Including module: overlay-root ***
dracut[I]: *** Including module: qemu ***
dracut[I]: *** Including module: lunmask ***
dracut[I]: *** Including module: resume ***
dracut[I]: *** Including module: rootfs-block ***
dracut[I]: *** Including module: terminfo ***
dracut[I]: *** Including module: udev-rules ***
dracut[I]: *** Including module: virtfs ***
dracut[I]: *** Including module: virtiofs ***
dracut[I]: *** Including module: dracut-systemd ***
dracut[I]: *** Including module: usrmount ***
dracut[I]: *** Including module: base ***
dracut[I]: *** Including module: fs-lib ***
dracut[I]: *** Including module: shutdown ***
dracut[I]: *** Including modules done ***
dracut[I]: *** Installing kernel module dependencies ***
dracut[I]: *** Installing kernel module dependencies done ***
dracut[I]: *** Resolving executable dependencies ***
dracut[I]: *** Resolving executable dependencies done ***
dracut[I]: *** Hardlinking files ***
dracut[I]: *** Hardlinking files done ***
dracut[I]: *** Generating early-microcode cpio image ***
dracut[I]: *** Constructing AuthenticAMD.bin ***
dracut[I]: *** Constructing GenuineIntel.bin ***
dracut[I]: *** Store current command line parameters ***
dracut[I]: *** Stripping files ***
dracut[I]: *** Stripping files done ***
dracut[I]: *** Creating image file '/boot/initrd.img-6.8.0-31-generic' ***
dracut[I]: Using auto-determined compression method 'pigz'
dracut[I]: *** Creating initramfs image file 
'/boot/initrd.img-6.8.0-31-generic' done ***
ubuntu@ubuntu:~$ sudo reboot

After the reboot:

ubuntu@ubuntu:~$ journalctl -b --grep "Switching root"
May 22 10:33:50 localhost @ystemctl[467]: Switching root - root: /sysroot; 
init: n/a
May 22 10:33:50 localhost systemd[1]: Switching root.
ubuntu@ubuntu:~$ sudo dmesg | grep rsyslog
[sudo] password for ubuntu: 
[    2.278177] systemd[1]: unit_file_build_name_map: normal unit file: 
/usr/lib/systemd/system/rsyslog.service
ubuntu@ubuntu:~$ systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: 
enabled)
     Active: active (running) since Wed 2024-05-22 10:33:53 EDT; 59s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 1055 (rsyslogd)
      Tasks: 4 (limit: 4608)
     Memory: 6.7M (peak: 7.0M)
        CPU: 513ms
     CGroup: /system.slice/rsyslog.service
             └─1055 /usr/sbin/rsyslogd -n -iNONE

May 22 10:33:53 ubuntu rsyslogd[1055]: rsyslogd's groupid changed to 102
May 22 10:33:53 ubuntu rsyslogd[1055]: rsyslogd's userid changed to 102
May 22 10:33:53 ubuntu rsyslogd[1055]: [origin software="rsyslogd" 
swVersion="8.2312.0" x-pid="1055" x-info="https://>
May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Got notification message 
from PID 1055 (READY=1)
May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Changed start -> running
May 22 10:33:53 ubuntu systemd[1]: rsyslog.service: Job 290 
rsyslog.service/start finished, result=done
May 22 10:33:53 ubuntu systemd[1]: Started rsyslog.service - System Logging 
Service.
May 22 10:33:54 ubuntu systemd[1]: rsyslog.service: System call riscv_hwprobe 
is not known, ignoring.
May 22 10:33:54 ubuntu systemd[1]: /usr/lib/systemd/system/rsyslog.service:21: 
System call riscv_hwprobe is not known>
May 22 10:33:54 ubuntu systemd[1]: rsyslog.service: Changed dead -> running
ubuntu@ubuntu:~$ apt policy systemd
systemd:
  Installed: 255.4-1ubuntu8.1
  Candidate: 255.4-1ubuntu8.1
  Version table:
 *** 255.4-1ubuntu8.1 100
        100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     255.4-1ubuntu8 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages

Hence, with the patched systemd in the initrd, we no longer see the
AppArmor denials, and rsyslog starts normally.


** Tags removed: verification-needed-noble
** Tags added: verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064096

Title:
  Services fail to start in noble deployed with TPM+FDE

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064096/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to