group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <2066929@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package ubuntu-advantage-tools - 32.3~24.04

---------------
ubuntu-advantage-tools (32.3~24.04) noble; urgency=medium

  * Backport 32.3 to noble (LP: #2060732)

ubuntu-advantage-tools (32.3) oracular; urgency=medium

  * d/apparmor: adjust the profiles to account for usr-merge consequences
    (LP: #2067319)

ubuntu-advantage-tools (32.2) oracular; urgency=medium

  * d/apparmor: adjust rules for violations found during testing (LP:
#2066929)

ubuntu-advantage-tools (32.1) oracular; urgency=medium

  * d/apparmor: allow access for /etc/os-release on all supported
    profiles (LP: #2065573)
  * apport: get path for timer job status from the correct place (LP: #2065616)

ubuntu-advantage-tools (32) oracular; urgency=medium

  * d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
  * d/apparmor: introduce new ubuntu_pro_esm_cache apparmor policy
  * New upstream release 32 (LP: #2060732)
    - api:
      + u.pro.attach.token.full_token_attach.v1: add support for attach
        with token
      + u.pro.services.disable.v1: add support for disable operation
      + u.pro.services.enable.v1: add support for enable operation
      + u.pro.detach.v1: add support for detach operation
      + u.pro.status.is_attached.v1: add extra fields to API response
      + u.pro.services.dependencies.v1: add support for service dependencies
      + u.pro.security.fix.*.plan.v1: update ESM cache during plan API
        if needed
    - apt_news: add architectures and packages selectors filters for apt news
    - cli:
      + improved cli/log message for unexpected errors (GH: #2600)
      + properly handle setting empty config values (GH: #2925)
    - cloud-init: support ubuntu_pro user-data
    - collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
    - config: create public and private config (GH: #2809)
    - entitlements:
      + update logic that checks if a service is enabled (LP: #2031192)
    - fips: warn/confirm with user if enabling fips downgrades the kernel
    - fix: warn users if ESM cache cannot be updated (GH: #2841)
    - logging:
      + use journald logging for all systemd services
      + add redundancy to secret redaction
    - messaging:
      + add consistent messaging for end of contract state
      + make explicit that unattached enable/disable is a noop (GH: #2487)
      + make explicit that disabling a disabled service is a noop
      + make explicit that enabling an enabled service is a noop
    - notices: filter unreadable notices when listing notices (GH: #2898)

 -- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx>  Tue, 28 May 2024
15:15:48 -0300

** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2066929

Title:
  32.1 in -proposed causes new apparmor denials

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
  Fix Released
Status in ubuntu-advantage-tools source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

  The new apparmor profile for esm-cache.service has sub profiles for
  subprocesses and some of them were incomplete, resulting in the
  following apparmor DENIED messages in the following situations:

  On xenial, after a `pro attach`:

        2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED begin
        2024-05-21 15:22:29,438:WARNING:root:May 21 19:20:58 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   63.187079] audit: type=1400 audit(1716319258.652:25): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache_systemd_detect_virt" pid=3582 comm="systemd-detect-" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.253406] audit: type=1400 audit(1716319259.720:26): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.253671] audit: type=1400 audit(1716319259.720:27): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.253817] audit: type=1400 audit(1716319259.720:28): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.253952] audit: type=1400 audit(1716319259.720:29): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.254086] audit: type=1400 audit(1716319259.720:30): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.254247] audit: type=1400 audit(1716319259.720:31): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.254406] audit: type=1400 audit(1716319259.720:32): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.254537] audit: type=1400 audit(1716319259.720:33): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [   64.254665] audit: type=1400 audit(1716319259.720:34): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
        2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED end

  On focal, after a `pro attach`:

        2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED begin
        2024-05-21 15:25:25,975:WARNING:root:May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.279:43): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3114 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:44): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:45): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:46): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:47): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:48): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.553:49): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3322 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.709:50): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.713:51): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:52): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:53): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:54): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
        2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED end

  [ Test Plan ]

  These were caught by the automated verification tests for v32.1 in
  -proposed. If all of the automated verification tests pass for the
  version with this fix (32.2), then that will be considered a
  verification for this bug as well.

  The specific tests that found this issue can be run with the following
  command:

  tox run -e behave -- -D install_from=proposed
  features/attach_validtoken.feature:194
  features/attach_validtoken.feature:196

  [ Where problems could occur ]

  The fix edits the template for the ubuntu_pro_esm_cache apparmor
  profile. If mistakes were made, it may cause new apparmor denials or
  other related issues, ultimately meaning esm-cache.service wouldn't
  run properly, preventing esm update notifications from being displayed
  on unattached machines.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2066929/+subscriptions