Public bug reported:
[ Impact ]
On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting
apparmor DENIED errors on the apt update hook which executes esm-
cache.service.
This ONLY happens if the version with the apparmor profiles is installed
on a Focal system which has been upgraded from Bionic, using do-release-
upgrade.
It seems that despite covering /usr/bin/ in the profile on Focal for
commands like uname or systemctl, we don't account for /bin/. However,
when coming from a Bionic system, /bin/ is an actual folder instead of a
symlink (as expected on a fresh Focal machine).
Logs:
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin
2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel:
[237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED"
operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400
audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400
audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400
audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400
audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400
audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400
audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400
audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400
audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
[ Test Plan ]
These were caught by the automated verification tests for v32.2 in
-proposed. If all of the automated verification tests pass for the
version with the fix (32.3), then that will be considered a verification
for this bug as well.
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor
profile. If mistakes were made, it may cause new apparmor denials or
other related issues, ultimately meaning esm-cache.service wouldn't run
properly, preventing esm update notifications from being displayed on
unattached machines.
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067319
Title:
After upgrading from bionic to focal, esm-cache.service hits apparmor
denials
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
