** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ Systems with a /var/lib/dpkg/arch file will trigger an apparmor DENIED
+ log entry when the esm-cache service tries to access that file.
- * justification for backporting the fix to the stable release.
+ Not all systems will have /var/lib/dpkg/arch. It can be created,
+ probably among other scenarios, when a subarchitecture is added. For
+ example, on amd64 systems, it's quite common to also have i386 added via
+ the command
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ sudo dpkg --add-architecture i386
+
+ That is enough to create /var/lib/dpkg/arch populated with both am64 and
+ i386, and trigger this bug.
+
+ The upstream test suite has been run with the bug trigger in place, and
+ no tests have been found that would fail because of this bug (other than
+ the check for apparmor DENIED logs). Even so, this influx of apparmor
+ logs can be troubling, or we could have missed a scenario where it
+ really triggers an incorrect behavior in the Pro client. Given that the
+ fix is simple, and easy to test, we decided to proceed with this SRU.
[ Test Plan ]
- * detailed instructions how to reproduce the bug
+ * detailed instructions how to reproduce the bug
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
- * if other testing is appropriate to perform before landing this update,
- this should also be described here.
+ * if other testing is appropriate to perform before landing this update,
+ this should also be described here.
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ * Think about what the upload changes in the software. Imagine the change is
+ wrong or breaks something else: how would this show up?
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+ your upload is low risk.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
[ Original Description ]
ubuntu-advantage-tools 32.3~18.04 is causing a new apparmor denial on
Bionic when updating:
[ 8091.769560] audit: type=1400 audit(1717273124.410:121):
apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache//dpkg"
name="/var/lib/dpkg/arch" pid=10358 comm="dpkg" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Fix:
--- /etc/apparmor.d/ubuntu_pro_esm_cache.orig 2024-06-01 22:31:28.276735437
+0200
+++ /etc/apparmor.d/ubuntu_pro_esm_cache 2024-06-01 22:31:07.163884846
+0200
@@ -174,6 +174,8 @@
/etc/dpkg/** r,
+ /var/lib/dpkg/** r,
+
/{,usr/}bin/dpkg mr,
}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067810
Title:
New Apparmor denial with ubuntu-advantage-tools on bionic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067810/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
