← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2065573] Re: esm-cache.service denied access to /etc/os-release by apparmor

 

This bug was fixed in the package ubuntu-advantage-tools - 32.1

---------------
ubuntu-advantage-tools (32.1) oracular; urgency=medium

  * d/apparmor: allow access for /etc/os-release on all supported
    profiles (LP: #2065573)
  * apport: get path for timer job status from the correct place (LP: #2065616)

 -- Lucas Moura <lucas.moura@xxxxxxxxxxxxx>  Tue, 14 May 2024 11:22:35
+0200

** Changed in: ubuntu-advantage-tools (Ubuntu Oracular)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2065573

Title:
  esm-cache.service denied access to /etc/os-release by apparmor

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Committed
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Committed
Status in ubuntu-advantage-tools source package in Focal:
  Fix Committed
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Committed
Status in ubuntu-advantage-tools source package in Mantic:
  Fix Committed
Status in ubuntu-advantage-tools source package in Noble:
  Fix Committed
Status in ubuntu-advantage-tools source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

  On systems where /etc/os-release is an actual file instead of a
  symlink to /usr/lib/os-release, the apparmor profile
  ubuntu_pro_esm_cache will block access to it. The existing profile
  only allows access to /usr/lib/os-release (via globbing rules written
  in other profiles that are being included).

  This results in the esm-cache.service failing to run:

  May 13 19:17:29 j-uat-2065573 python3[3490]:
  ["2024-05-13T19:17:29.370", "ERROR", "ubuntupro.lib.esm_cache",
  "main", 17, "Error updating the cache: [Errno 13] Permission denied:
  '/etc/os-release'", {}]

  
  [ Test Plan ]

  Keep sudo dmesg -wT | grep ubuntu_pro running in a terminal (in the
  same VM, if testing in a VM, or in the host, if testing with a LXD
  container), and then run this on the system being tested (LXD or VM):

  sudo rm /etc/os-release
  sudo cp /usr/lib/os-release /etc
  sudo rm -rf /var/lib/apt/periodic/*
  sudo systemctl start esm-cache.service

  there should be no apparmor DENIED messages for an access to /etc/os-
  release in the dmesg output. Additionally, /var/log/ubuntu-
  advantage.log should not have a permission denied error referring to
  /etc/os-release.

  Additionally, for a more surgical test, also run these:

  sudo rm /etc/os-release
  sudo cp /usr/lib/os-release /etc
  sudo aa-exec -p ubuntu_pro_esm_cache cat /etc/os-release

  On a system with the fixed apparmor profile, you should see the
  contents of /etc/os-release. With the bug, the last command above will
  return a permission denied error and dmesg will show a corresponding
  apparmor DENIED error.

  [ Where problems could occur ]

  The fix is to include a rule to allow access to /etc/os-release, and
  /usr/lib/os-release too (even though that was covered already via
  other apparmor abstractions being included).

  We don't think there is an additional security risk by this new allow
  rule, and in fact, it should probably be covered by some base
  abstraction in the future.

  The risk being introduced by this fix is a syntax error on the
  profile, but that is covered by the package build which runs a syntax
  check.

  The other riks is that this rule could only be correct for certain
  ubuntu releases, and not older ones like xenial, but this is a very
  simple file access rule, which is something very old apparmor profiles
  understand already.

  [ Other Info ]
  This was found by the CI system of a contributor who happened to be including proposed packages in their testing, and that for some reason does not have /etc/os-release as a symlink. We are unsure why /etc/os-release is not a symlink, but nevertheless it's a valid scenario, and should be fixed in the apparmor profile.

  [ Original Description ]

  We just caught a regression in our CI: https://github.com/cockpit-
  project/bots/pull/6373

  An unexpected apparmor denial is logged in the journal:

  May 13 08:49:01 ubuntu systemd[1]: Starting Update APT News...
  May 13 08:49:01 ubuntu systemd[1]: Starting Update the local ESM caches...
  May 13 08:49:02 ubuntu PackageKit[2370]: refresh-cache transaction /17_aebebede from uid 0 finished with success after 384ms
  May 13 08:49:02 ubuntu audit[2667]: AVC apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  May 13 08:49:02 ubuntu kernel: kauditd_printk_skb: 59 callbacks suppressed
  May 13 08:49:02 ubuntu kernel: audit: type=1400 audit(1715590142.157:71): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  May 13 08:49:02 ubuntu python3[2667]: ["2024-05-13T08:49:02.172", "ERROR", "ubuntupro.lib.esm_cache", "main", 17, "Error updating the cache: [Errno 13] Permission denied: '/etc/os-release'", {}]
  May 13 08:49:02 ubuntu systemd[1]: esm-cache.service: Deactivated successfully.
  May 13 08:49:02 ubuntu systemd[1]: Finished Update the local ESM caches.
  May 13 08:49:02 ubuntu systemd[1]: apt-news.service: Deactivated successfully.
  May 13 08:49:02 ubuntu systemd[1]: Finished Update APT News.

  The relevant change since the last (working) state is that these
  packages got updated:

    ubuntu-advantage-tools (31.2.3~22.04 -> 32~22.04)
    ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
    ubuntu-pro-client-l10n (31.2.3~22.04 -> 32~22.04)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573/+subscriptions