group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #47250
[Bug 2065573] Re: esm-cache.service denied access to /etc/os-release by apparmor
This bug was fixed in the package ubuntu-advantage-tools - 32.1
---------------
ubuntu-advantage-tools (32.1) oracular; urgency=medium
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
-- Lucas Moura <lucas.moura@xxxxxxxxxxxxx> Tue, 14 May 2024 11:22:35
+0200
** Changed in: ubuntu-advantage-tools (Ubuntu Oracular)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2065573
Title:
esm-cache.service denied access to /etc/os-release by apparmor
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Committed
Status in ubuntu-advantage-tools source package in Bionic:
Fix Committed
Status in ubuntu-advantage-tools source package in Focal:
Fix Committed
Status in ubuntu-advantage-tools source package in Jammy:
Fix Committed
Status in ubuntu-advantage-tools source package in Mantic:
Fix Committed
Status in ubuntu-advantage-tools source package in Noble:
Fix Committed
Status in ubuntu-advantage-tools source package in Oracular:
Fix Released
Bug description:
[ Impact ]
On systems where /etc/os-release is an actual file instead of a
symlink to /usr/lib/os-release, the apparmor profile
ubuntu_pro_esm_cache will block access to it. The existing profile
only allows access to /usr/lib/os-release (via globbing rules written
in other profiles that are being included).
This results in the esm-cache.service failing to run:
May 13 19:17:29 j-uat-2065573 python3[3490]:
["2024-05-13T19:17:29.370", "ERROR", "ubuntupro.lib.esm_cache",
"main", 17, "Error updating the cache: [Errno 13] Permission denied:
'/etc/os-release'", {}]
[ Test Plan ]
Keep sudo dmesg -wT | grep ubuntu_pro running in a terminal (in the
same VM, if testing in a VM, or in the host, if testing with a LXD
container), and then run this on the system being tested (LXD or VM):
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo rm -rf /var/lib/apt/periodic/*
sudo systemctl start esm-cache.service
there should be no apparmor DENIED messages for an access to /etc/os-
release in the dmesg output. Additionally, /var/log/ubuntu-
advantage.log should not have a permission denied error referring to
/etc/os-release.
Additionally, for a more surgical test, also run these:
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo aa-exec -p ubuntu_pro_esm_cache cat /etc/os-release
On a system with the fixed apparmor profile, you should see the
contents of /etc/os-release. With the bug, the last command above will
return a permission denied error and dmesg will show a corresponding
apparmor DENIED error.
[ Where problems could occur ]
The fix is to include a rule to allow access to /etc/os-release, and
/usr/lib/os-release too (even though that was covered already via
other apparmor abstractions being included).
We don't think there is an additional security risk by this new allow
rule, and in fact, it should probably be covered by some base
abstraction in the future.
The risk being introduced by this fix is a syntax error on the
profile, but that is covered by the package build which runs a syntax
check.
The other riks is that this rule could only be correct for certain
ubuntu releases, and not older ones like xenial, but this is a very
simple file access rule, which is something very old apparmor profiles
understand already.
[ Other Info ]
This was found by the CI system of a contributor who happened to be including proposed packages in their testing, and that for some reason does not have /etc/os-release as a symlink. We are unsure why /etc/os-release is not a symlink, but nevertheless it's a valid scenario, and should be fixed in the apparmor profile.
[ Original Description ]
We just caught a regression in our CI: https://github.com/cockpit-
project/bots/pull/6373
An unexpected apparmor denial is logged in the journal:
May 13 08:49:01 ubuntu systemd[1]: Starting Update APT News...
May 13 08:49:01 ubuntu systemd[1]: Starting Update the local ESM caches...
May 13 08:49:02 ubuntu PackageKit[2370]: refresh-cache transaction /17_aebebede from uid 0 finished with success after 384ms
May 13 08:49:02 ubuntu audit[2667]: AVC apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 13 08:49:02 ubuntu kernel: kauditd_printk_skb: 59 callbacks suppressed
May 13 08:49:02 ubuntu kernel: audit: type=1400 audit(1715590142.157:71): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 13 08:49:02 ubuntu python3[2667]: ["2024-05-13T08:49:02.172", "ERROR", "ubuntupro.lib.esm_cache", "main", 17, "Error updating the cache: [Errno 13] Permission denied: '/etc/os-release'", {}]
May 13 08:49:02 ubuntu systemd[1]: esm-cache.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update the local ESM caches.
May 13 08:49:02 ubuntu systemd[1]: apt-news.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update APT News.
The relevant change since the last (working) state is that these
packages got updated:
ubuntu-advantage-tools (31.2.3~22.04 -> 32~22.04)
ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
ubuntu-pro-client-l10n (31.2.3~22.04 -> 32~22.04)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573/+subscriptions