Public bug reported: When the apt update hook in /etc/apt/apt.conf.d/20apt-esm-hook.conf is run, esm-cache.service will be called which in turn will call /usr/lib/ubuntu-advantage/esm_cache.py with the ubuntu_pro_esm_cache apparmor profile defined in /etc/apparmor.d/ubuntu_pro_esm_cache.
When /var/lib/ubuntu-advantage/status.json is not present, the client will try to access /sys/firmware/devicetree/base/model. On devices without a devicetree, the file will not be present and generate an INFO messages, whereas when the device has a devicetree, an apparmor DENIED audit message will be sent: [ 66.683094] audit: type=1400 audit(1763047623.421:126): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache" name="/sys/firmware/devicetree/base/model" pid=1772 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This access is performed on line 304 in uaclient/system.py: https://github.com/canonical/ubuntu-pro- client/blob/36/uaclient/system.py#L304 This can be fixed by adding the following line to the ubuntu_pro_esm_cache apparmor profile: /sys/firmware/devicetree/base/model r, It seems like there is an additional apparmor DENIED message, when esm- cache.service is run the first time after status.json is removed (tested on the same machine and reproduced on a different machine): [1250769.610083] audit: type=1400 audit(1763111087.744:78534): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/dmi/entries/0-0/raw" pid=619752 comm="systemd- detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This happens when systemd-detect-virt is run. It can be fixed by adding the following line to the ubuntu_pro_esm_cache_systemd_detect_virt profile defined in the same file in /etc/apparmor.d/ubuntu_pro_esm_cache: /sys/firmware/dmi/entries/** r, ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2131292 Title: esm_cache.py causes apparmor DENIED audit messages when trying to access devicetree To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2131292/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
