** Changed in: ubuntu-advantage-tools (Ubuntu)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided => High
** Changed in: ubuntu-advantage-tools (Ubuntu)
Status: Confirmed => In Progress
** Description changed:
[ Impact ]
On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting
apparmor DENIED errors on the apt update hook which executes esm-
cache.service.
This ONLY happens if the version with the apparmor profiles is installed
on a Focal system which has been upgraded from Bionic, using do-release-
upgrade.
It seems that despite covering /usr/bin/ in the profile on Focal for
commands like uname or systemctl, we don't account for /bin/. However,
when coming from a Bionic system, /bin/ is an actual folder instead of a
symlink (as expected on a fresh Focal machine).
+ This happens because of the usr-merge effort. On fresh focal systems, we have
symlinks replacing top-level directories like /bin, /sbin, and others:
+ root@f-pristine:~# ls -la /{bin,lib,lib*,sbin}
+ lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin
+ lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
+ lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
+ lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32
+ lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64
+ lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32
+ lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin
+
+ In bionic, these are actual directories:
+ root@b:~# ls -lad /{bin,lib,lib*,sbin}
+ drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin
+ drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
+ drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
+ drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64
+ drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin
+
+ In a focal system that was upgraded from bionic, the usr-merge is not
+ done, and this focal system will retain the bionic top-level
+ directories.
+
Logs:
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin
- 2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel:
[237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED"
operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400
audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400
audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400
audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400
audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400
audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400
audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400
audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400
audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
- 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
-
+ 2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel:
[237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED"
operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400
audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400
audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400
audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400
audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400
audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400
audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400
audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400
audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
+ 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
[ Test Plan ]
These were caught by the automated verification tests for v32.2 in
-proposed. If all of the automated verification tests pass for the
version with the fix (32.3), then that will be considered a verification
for this bug as well.
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor
profile. If mistakes were made, it may cause new apparmor denials or
other related issues, ultimately meaning esm-cache.service wouldn't run
properly, preventing esm update notifications from being displayed on
unattached machines.
** Description changed:
[ Impact ]
On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting
apparmor DENIED errors on the apt update hook which executes esm-
cache.service.
This ONLY happens if the version with the apparmor profiles is installed
on a Focal system which has been upgraded from Bionic, using do-release-
upgrade.
It seems that despite covering /usr/bin/ in the profile on Focal for
commands like uname or systemctl, we don't account for /bin/. However,
when coming from a Bionic system, /bin/ is an actual folder instead of a
symlink (as expected on a fresh Focal machine).
- This happens because of the usr-merge effort. On fresh focal systems, we have
symlinks replacing top-level directories like /bin, /sbin, and others:
+ This happens because of the usr-merge[1] effort. On fresh focal systems, we
have symlinks replacing top-level directories like /bin, /sbin, and others:
root@f-pristine:~# ls -la /{bin,lib,lib*,sbin}
lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin
lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32
lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin
In bionic, these are actual directories:
root@b:~# ls -lad /{bin,lib,lib*,sbin}
drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin
drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64
drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin
In a focal system that was upgraded from bionic, the usr-merge is not
done, and this focal system will retain the bionic top-level
directories.
Logs:
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin
2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel:
[237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED"
operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400
audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400
audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400
audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400
audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400
audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400
audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400
audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400
audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file"
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3"
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
+
+ 1. https://wiki.debian.org/UsrMerge
+
+
[ Test Plan ]
These were caught by the automated verification tests for v32.2 in
-proposed. If all of the automated verification tests pass for the
version with the fix (32.3), then that will be considered a verification
for this bug as well.
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor
profile. If mistakes were made, it may cause new apparmor denials or
other related issues, ultimately meaning esm-cache.service wouldn't run
properly, preventing esm update notifications from being displayed on
unattached machines.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067319
Title:
After upgrading from bionic to focal, esm-cache.service hits apparmor
denials
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
