debcrafters-packages team mailing list archive

Thread
Date
[Bug 2123870] Re: apparmor several profiles incompatible with new coreutils scheme

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <2123870@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2025 12:44:47 -0000
Reply-to: Bug 2123870 <2123870@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Changed in: cups-browsed (Ubuntu)
    Milestone: None => ubuntu-25.10

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cups-browsed in Ubuntu.
https://bugs.launchpad.net/bugs/2123870

Title:
  apparmor several profiles incompatible with new coreutils scheme

Status in apparmor package in Ubuntu:
  Confirmed
Status in cups-browsed package in Ubuntu:
  Confirmed

Bug description:
  apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
  binaries are incompatible with  gnu-coreutils v. 9.5-1ubuntu2 released
  on May 08, 2025.   Minimally this looks to affect wg-quick profile.
  But there may be other profiles that are affected.

  
  gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target path which then breaks any apparmor profile which referenced the format /usr/bin or /usr/sbin utility name.

  
  The result is many DENIED operations for any symlinked gnu-coreutils command.

  
  This bug appears to affect any apparmor profile in Ubuntu questing which happens to set file-based mediation rules for any of the symlinked utilities below:

  
  Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: 
  pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  
  2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" 
  name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
  audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
  operation="open" class="file" profile="wg-quick"
  name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick"
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0


  Symlinked utilities due to gnu-coreutils:
  /usr/bin/arch
  /usr/bin/b2sum
  /usr/bin/base32
  /usr/bin/base64
  /usr/bin/basename
  /usr/bin/basenc
  /usr/bin/cat
  /usr/bin/chcon
  /usr/bin/chgrp
  /usr/bin/chmod
  /usr/bin/chown
  /usr/bin/cksum
  /usr/bin/comm
  /usr/bin/cp
  /usr/bin/csplit
  /usr/bin/cut
  /usr/bin/date
  /usr/bin/dd
  /usr/bin/df
  /usr/bin/dir
  /usr/bin/dircolors
  /usr/bin/dirname
  /usr/bin/du
  /usr/bin/echo
  /usr/bin/env
  /usr/bin/expand
  /usr/bin/expr
  /usr/bin/factor
  /usr/bin/false
  /usr/bin/fmt
  /usr/bin/fold
  /usr/bin/groups
  /usr/bin/head
  /usr/bin/hostid
  /usr/bin/id
  /usr/bin/install
  /usr/bin/join
  /usr/bin/link
  /usr/bin/ln
  /usr/bin/logname
  /usr/bin/ls
  /usr/bin/md5sum
  /usr/bin/mkdir
  /usr/bin/mkfifo
  /usr/bin/mknod
  /usr/bin/mktemp
  /usr/bin/mv
  /usr/bin/nice
  /usr/bin/nl
  /usr/bin/nohup
  /usr/bin/nproc
  /usr/bin/numfmt
  /usr/bin/od
  /usr/bin/paste
  /usr/bin/pathchk
  /usr/bin/pinky
  /usr/bin/pr
  /usr/bin/printenv
  /usr/bin/printf
  /usr/bin/ptx
  /usr/bin/pwd
  /usr/bin/readlink
  /usr/bin/realpath
  /usr/bin/rm
  /usr/bin/rmdir
  /usr/bin/runcon
  /usr/bin/seq
  /usr/bin/sha1sum
  /usr/bin/sha224sum
  /usr/bin/sha256sum
  /usr/bin/sha384sum
  /usr/bin/sha512sum
  /usr/bin/shred
  /usr/bin/shuf
  /usr/bin/sleep
  /usr/bin/sort
  /usr/bin/split
  /usr/bin/stat
  /usr/bin/stdbuf
  /usr/bin/stty
  /usr/bin/sum
  /usr/bin/sync
  /usr/bin/tac
  /usr/bin/tail
  /usr/bin/tee
  /usr/bin/test
  /usr/bin/timeout
  /usr/bin/touch
  /usr/bin/tr
  /usr/bin/true
  /usr/bin/truncate
  /usr/bin/tsort
  /usr/bin/tty
  /usr/bin/uname
  /usr/bin/unexpand
  /usr/bin/uniq
  /usr/bin/unlink
  /usr/bin/users
  /usr/bin/vdir
  /usr/bin/wc
  /usr/bin/who
  /usr/bin/whoami
  /usr/bin/yes
  /usr/sbin/chroot


  
  ### steps to reproduce
  lxc launch ubuntu-daily:questing --vm kvm-q
  lxc exec kvm-q bash
  apt-get update --yes
  apt-get install wireguard-tools --yes
  modprobe wireguard
  su - ubuntu
  umask 077
  wg genkey > wg0.key
  wg pubkey < wg0.key > wg0.pub 
  <CTRL-D>
  root@kvm-q:~#  KEY=`cat /home/ubuntu/wg0.key`
  root@kvm-q:~#  PUBKEY=`cat /home/ubuntu/wg0.pub`
  root@kvm-q:~#  cat > /etc/wireguard/wg0.conf <<EOF
  [Interface]
  Address = 192.168.254.1/32
  ListenPort = 51820
  PrivateKey = ${KEY}

  [Peer]
  PublicKey = ${PUBKEY}
  AllowedIPs = 192.168.254.2/32
  EOF

  systemctl restart wg-quick@wg
  echo $?

  journalctl -u wg-quick@wg.service

  ```
  Sep 15 17:49:19 kvm-q systemd[1]: Starting wg-quick@wg.service - WireGuard via wg-quick(8) for wg...
  Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Main process exited, code=exited, status=126/n/a
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Failed with result 'exit-code'.
  Sep 15 17:49:19 kvm-q systemd[1]: Failed to start wg-quick@wg.service - WireGuard via wg-quick(8) for wg.
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870/+subscriptions