group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #47288
[Bug 2065573] Re: esm-cache.service denied access to /etc/os-release by apparmor
This bug was fixed in the package ubuntu-advantage-tools - 32.3~24.04
---------------
ubuntu-advantage-tools (32.3~24.04) noble; urgency=medium
* Backport 32.3 to noble (LP: #2060732)
ubuntu-advantage-tools (32.3) oracular; urgency=medium
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-advantage-tools (32.2) oracular; urgency=medium
* d/apparmor: adjust rules for violations found during testing (LP:
#2066929)
ubuntu-advantage-tools (32.1) oracular; urgency=medium
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-advantage-tools (32) oracular; urgency=medium
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_pro_esm_cache apparmor policy
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.token.full_token_attach.v1: add support for attach
with token
+ u.pro.services.disable.v1: add support for disable operation
+ u.pro.services.enable.v1: add support for enable operation
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.is_attached.v1: add extra fields to API response
+ u.pro.services.dependencies.v1: add support for service dependencies
+ u.pro.security.fix.*.plan.v1: update ESM cache during plan API
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx> Tue, 28 May 2024
15:15:48 -0300
** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2065573
Title:
esm-cache.service denied access to /etc/os-release by apparmor
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
Fix Released
Status in ubuntu-advantage-tools source package in Noble:
Fix Released
Status in ubuntu-advantage-tools source package in Oracular:
Fix Released
Bug description:
[ Impact ]
On systems where /etc/os-release is an actual file instead of a
symlink to /usr/lib/os-release, the apparmor profile
ubuntu_pro_esm_cache will block access to it. The existing profile
only allows access to /usr/lib/os-release (via globbing rules written
in other profiles that are being included).
This results in the esm-cache.service failing to run:
May 13 19:17:29 j-uat-2065573 python3[3490]:
["2024-05-13T19:17:29.370", "ERROR", "ubuntupro.lib.esm_cache",
"main", 17, "Error updating the cache: [Errno 13] Permission denied:
'/etc/os-release'", {}]
[ Test Plan ]
Keep sudo dmesg -wT | grep ubuntu_pro running in a terminal (in the
same VM, if testing in a VM, or in the host, if testing with a LXD
container), and then run this on the system being tested (LXD or VM):
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo rm -rf /var/lib/apt/periodic/*
sudo systemctl start esm-cache.service
there should be no apparmor DENIED messages for an access to /etc/os-
release in the dmesg output. Additionally, /var/log/ubuntu-
advantage.log should not have a permission denied error referring to
/etc/os-release.
Additionally, for a more surgical test, also run these:
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo aa-exec -p ubuntu_pro_esm_cache cat /etc/os-release
On a system with the fixed apparmor profile, you should see the
contents of /etc/os-release. With the bug, the last command above will
return a permission denied error and dmesg will show a corresponding
apparmor DENIED error.
[ Where problems could occur ]
The fix is to include a rule to allow access to /etc/os-release, and
/usr/lib/os-release too (even though that was covered already via
other apparmor abstractions being included).
We don't think there is an additional security risk by this new allow
rule, and in fact, it should probably be covered by some base
abstraction in the future.
The risk being introduced by this fix is a syntax error on the
profile, but that is covered by the package build which runs a syntax
check.
The other riks is that this rule could only be correct for certain
ubuntu releases, and not older ones like xenial, but this is a very
simple file access rule, which is something very old apparmor profiles
understand already.
[ Other Info ]
This was found by the CI system of a contributor who happened to be including proposed packages in their testing, and that for some reason does not have /etc/os-release as a symlink. We are unsure why /etc/os-release is not a symlink, but nevertheless it's a valid scenario, and should be fixed in the apparmor profile.
[ Original Description ]
We just caught a regression in our CI: https://github.com/cockpit-
project/bots/pull/6373
An unexpected apparmor denial is logged in the journal:
May 13 08:49:01 ubuntu systemd[1]: Starting Update APT News...
May 13 08:49:01 ubuntu systemd[1]: Starting Update the local ESM caches...
May 13 08:49:02 ubuntu PackageKit[2370]: refresh-cache transaction /17_aebebede from uid 0 finished with success after 384ms
May 13 08:49:02 ubuntu audit[2667]: AVC apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 13 08:49:02 ubuntu kernel: kauditd_printk_skb: 59 callbacks suppressed
May 13 08:49:02 ubuntu kernel: audit: type=1400 audit(1715590142.157:71): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 13 08:49:02 ubuntu python3[2667]: ["2024-05-13T08:49:02.172", "ERROR", "ubuntupro.lib.esm_cache", "main", 17, "Error updating the cache: [Errno 13] Permission denied: '/etc/os-release'", {}]
May 13 08:49:02 ubuntu systemd[1]: esm-cache.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update the local ESM caches.
May 13 08:49:02 ubuntu systemd[1]: apt-news.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update APT News.
The relevant change since the last (working) state is that these
packages got updated:
ubuntu-advantage-tools (31.2.3~22.04 -> 32~22.04)
ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
ubuntu-pro-client-l10n (31.2.3~22.04 -> 32~22.04)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573/+subscriptions