** Description changed: + (SRU data for ubuntu-advantage-tools; see the Original Description section below otherwise) + [ Impact ] + + Starting on Questing, users may see apparmor DENIED operations when + running Pro Client commands due to the change to rust-coreutils. This is + already tested and fixed there, but it's being backported to all Pro- + supported releases per + https://documentation.ubuntu.com/sru/en/latest/reference/exception- + UbuntuAdvantageTools-Updates/. There must be no impact to users in these + releases. + + [ Test plan ] + + As part of the verification of LP #2125453, the whole acceptance test + suite is executed. Any apparmor DENIED entry is considered a failure in + the acceptance tests. Tests passing means no DENIED operation for all + the covered and supported scenarios. + + [ Where problems could occur ] + + The code fixing the bug in -devel could have a negative impact on older + releases, as we keep the same codebase everywhere. We believe this won't + imply in a regression because it is loosening the profile instead of + restricting more. There is the risk of allowing things we would not + want, but the patch comes directly from the apparmor team, via Georgia + Garcia ([email protected]), which makes it more reliable. + + [ Original Description ] + apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released on May 08, 2025. Minimally this looks to affect wg-quick profile. But there may be other profiles that are affected. - - gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target path which then breaks any apparmor profile which referenced the format /usr/bin or /usr/sbin utility name. - - - The result is many DENIED operations for any symlinked gnu-coreutils command. - - - This bug appears to affect any apparmor profile in Ubuntu questing which happens to set file-based mediation rules for any of the symlinked utilities below: - - - Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: + gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink + and 105 other utilities in /usr/bin which point to + /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target + path which then breaks any apparmor profile which referenced the format + /usr/bin or /usr/sbin utility name. + + The result is many DENIED operations for any symlinked gnu-coreutils + command. + + This bug appears to affect any apparmor profile in Ubuntu questing which + happens to set file-based mediation rules for any of the symlinked + utilities below: + + Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - - 2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" + 2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757951720.114:447): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - Symlinked utilities due to gnu-coreutils: /usr/bin/arch /usr/bin/b2sum /usr/bin/base32 /usr/bin/base64 /usr/bin/basename /usr/bin/basenc /usr/bin/cat /usr/bin/chcon /usr/bin/chgrp /usr/bin/chmod /usr/bin/chown /usr/bin/cksum /usr/bin/comm /usr/bin/cp /usr/bin/csplit /usr/bin/cut /usr/bin/date /usr/bin/dd /usr/bin/df /usr/bin/dir /usr/bin/dircolors /usr/bin/dirname /usr/bin/du /usr/bin/echo /usr/bin/env /usr/bin/expand /usr/bin/expr /usr/bin/factor /usr/bin/false /usr/bin/fmt /usr/bin/fold /usr/bin/groups /usr/bin/head /usr/bin/hostid /usr/bin/id /usr/bin/install /usr/bin/join /usr/bin/link /usr/bin/ln /usr/bin/logname /usr/bin/ls /usr/bin/md5sum /usr/bin/mkdir /usr/bin/mkfifo /usr/bin/mknod /usr/bin/mktemp /usr/bin/mv /usr/bin/nice /usr/bin/nl /usr/bin/nohup /usr/bin/nproc /usr/bin/numfmt /usr/bin/od /usr/bin/paste /usr/bin/pathchk /usr/bin/pinky /usr/bin/pr /usr/bin/printenv /usr/bin/printf /usr/bin/ptx /usr/bin/pwd /usr/bin/readlink /usr/bin/realpath /usr/bin/rm /usr/bin/rmdir /usr/bin/runcon /usr/bin/seq /usr/bin/sha1sum /usr/bin/sha224sum /usr/bin/sha256sum /usr/bin/sha384sum /usr/bin/sha512sum /usr/bin/shred /usr/bin/shuf /usr/bin/sleep /usr/bin/sort /usr/bin/split /usr/bin/stat /usr/bin/stdbuf /usr/bin/stty /usr/bin/sum /usr/bin/sync /usr/bin/tac /usr/bin/tail /usr/bin/tee /usr/bin/test /usr/bin/timeout /usr/bin/touch /usr/bin/tr /usr/bin/true /usr/bin/truncate /usr/bin/tsort /usr/bin/tty /usr/bin/uname /usr/bin/unexpand /usr/bin/uniq /usr/bin/unlink /usr/bin/users /usr/bin/vdir /usr/bin/wc /usr/bin/who /usr/bin/whoami /usr/bin/yes /usr/sbin/chroot - - ### steps to reproduce lxc launch ubuntu-daily:questing --vm kvm-q lxc exec kvm-q bash apt-get update --yes apt-get install wireguard-tools --yes modprobe wireguard su - ubuntu umask 077 wg genkey > wg0.key - wg pubkey < wg0.key > wg0.pub + wg pubkey < wg0.key > wg0.pub <CTRL-D> root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key` root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub` root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF [Interface] Address = 192.168.254.1/32 ListenPort = 51820 PrivateKey = ${KEY} [Peer] PublicKey = ${PUBKEY} AllowedIPs = 192.168.254.2/32 EOF systemctl restart wg-quick@wg echo $? journalctl -u [email protected] ``` Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg... Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited, code=exited, status=126/n/a Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result 'exit-code'. Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg. ```
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2123870 Title: apparmor several profiles incompatible with new coreutils scheme To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
