group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #47292
[Bug 2067319] Re: After upgrading from bionic to focal, esm-cache.service hits apparmor denials
This bug was fixed in the package ubuntu-advantage-tools - 32.3~23.10
---------------
ubuntu-advantage-tools (32.3~23.10) mantic; urgency=medium
* Backport 32.3 to mantic (LP: #2060732)
ubuntu-advantage-tools (32.3) oracular; urgency=medium
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-advantage-tools (32.2) oracular; urgency=medium
* d/apparmor: adjust rules for violations found during testing (LP:
#2066929)
ubuntu-advantage-tools (32.1) oracular; urgency=medium
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-advantage-tools (32) oracular; urgency=medium
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_pro_esm_cache apparmor policy
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.token.full_token_attach.v1: add support for attach
with token
+ u.pro.services.disable.v1: add support for disable operation
+ u.pro.services.enable.v1: add support for enable operation
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.is_attached.v1: add extra fields to API response
+ u.pro.services.dependencies.v1: add support for service dependencies
+ u.pro.security.fix.*.plan.v1: update ESM cache during plan API
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <renanrodrigo@xxxxxxxxxxxxx> Tue, 28 May 2024
15:15:45 -0300
** Changed in: ubuntu-advantage-tools (Ubuntu Mantic)
Status: Fix Committed => Fix Released
** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2067319
Title:
After upgrading from bionic to focal, esm-cache.service hits apparmor
denials
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Mantic:
Fix Released
Status in ubuntu-advantage-tools source package in Noble:
Fix Released
Bug description:
[ Impact ]
On ubuntu-advantage-tools v32.2, currently in -proposed, we are
hitting apparmor DENIED errors on the apt update hook which executes
esm-cache.service.
This ONLY happens if the version with the apparmor profiles is
installed on a Focal system which has been upgraded from Bionic, using
do-release-upgrade.
It seems that despite covering /usr/bin/ in the profile on Focal for
commands like uname or systemctl, we don't account for /bin/. However,
when coming from a Bionic system, /bin/ is an actual folder instead of
a symlink (as expected on a fresh Focal machine).
This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others:
root@f-pristine:~# ls -la /{bin,lib,lib*,sbin}
lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin
lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib
lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32
lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin
In bionic, these are actual directories:
root@b:~# ls -lad /{bin,lib,lib*,sbin}
drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin
drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
drwxr-xr-x 1 root root 438 Jun 7 2023 /lib
drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64
drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin
In a focal system that was upgraded from bionic, the usr-merge is not
done, and this focal system will retain the bionic top-level
directories.
Logs:
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin
2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
1. https://wiki.debian.org/UsrMerge
[ Test Plan ]
These were caught by the automated verification tests for v32.2 in
-proposed. If all of the automated verification tests pass for the
version with the fix (32.3), then that will be considered a
verification for this bug as well.
The specific tests to be executed for this are:
1. The Bionic to Focal upgrade tests:
- features/ubuntu_upgrade.feature:50 Attached upgrade -- @1.2 ubuntu release
- features/ubuntu_upgrade.feature:51 Attached upgrade -- @1.3 ubuntu release
- features/ubuntu_upgrade_unattached.feature:62 Unattached upgrade -- @1.2 ubuntu release
2. The following Focal tests which verify the esm cache working:
- features/unattached_commands.feature:370 esm cache failures don't generate errors -- @1.2 ubuntu release
- all of features/security-status.feature
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor
profile. If mistakes were made, it may cause new apparmor denials or
other related issues, ultimately meaning esm-cache.service wouldn't
run properly, preventing esm update notifications from being displayed
on unattached machines.
Given the nature of the change needed for this fix, it is very
unlikely that we are breaking anything else: we are making the rules
more permissive than they were before. However, if any typo is
present, we may be breaking the esm-cache.service as mentioned before.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+subscriptions
