group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #47344
[Bug 2067810] Re: New Apparmor denial with ubuntu-advantage-tools on bionic
** Description changed:
+ [ Impact ]
+
+ * An explanation of the effects of the bug on users and
+
+ * justification for backporting the fix to the stable release.
+
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
+
+ [ Test Plan ]
+
+ * detailed instructions how to reproduce the bug
+
+ * these should allow someone who is not familiar with the affected
+ package to reproduce the bug and verify that the updated package fixes
+ the problem.
+
+ * if other testing is appropriate to perform before landing this update,
+ this should also be described here.
+
+ [ Where problems could occur ]
+
+ * Think about what the upload changes in the software. Imagine the change is
+ wrong or breaks something else: how would this show up?
+
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
+
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+ your upload is low risk.
+
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
+
+ [ Other Info ]
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+ * and address these questions in advance
+
+ [ Original Description ]
+
ubuntu-advantage-tools 32.3~18.04 is causing a new apparmor denial on
Bionic when updating:
[ 8091.769560] audit: type=1400 audit(1717273124.410:121):
apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache//dpkg"
name="/var/lib/dpkg/arch" pid=10358 comm="dpkg" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Fix:
--- /etc/apparmor.d/ubuntu_pro_esm_cache.orig 2024-06-01 22:31:28.276735437 +0200
+++ /etc/apparmor.d/ubuntu_pro_esm_cache 2024-06-01 22:31:07.163884846 +0200
@@ -174,6 +174,8 @@
-
- /etc/dpkg/** r,
-
+
+ /etc/dpkg/** r,
+
+ /var/lib/dpkg/** r,
+
- /{,usr/}bin/dpkg mr,
-
- }
+ /{,usr/}bin/dpkg mr,
+
+ }
** Also affects: ubuntu-advantage-tools (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Oracular)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Also affects: ubuntu-advantage-tools (Ubuntu Mantic)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: ubuntu-advantage-tools (Ubuntu Xenial)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Focal)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Mantic)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: ubuntu-advantage-tools (Ubuntu Xenial)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Focal)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Mantic)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
Status: New => In Progress
** Changed in: ubuntu-advantage-tools (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Mantic)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
Importance: Undecided => Medium
** Changed in: ubuntu-advantage-tools (Ubuntu Oracular)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2067810
Title:
New Apparmor denial with ubuntu-advantage-tools on bionic
Status in ubuntu-advantage-tools package in Ubuntu:
In Progress
Status in ubuntu-advantage-tools source package in Xenial:
In Progress
Status in ubuntu-advantage-tools source package in Bionic:
In Progress
Status in ubuntu-advantage-tools source package in Focal:
In Progress
Status in ubuntu-advantage-tools source package in Jammy:
In Progress
Status in ubuntu-advantage-tools source package in Mantic:
In Progress
Status in ubuntu-advantage-tools source package in Noble:
In Progress
Status in ubuntu-advantage-tools source package in Oracular:
In Progress
Bug description:
[ Impact ]
Systems with a /var/lib/dpkg/arch file will trigger an apparmor DENIED
log entry when the esm-cache service tries to access that file.
Not all systems will have /var/lib/dpkg/arch. It can be created,
probably among other scenarios, when a subarchitecture is added. For
example, on amd64 systems, it's quite common to also have i386 added
via the command
sudo dpkg --add-architecture i386
That is enough to create /var/lib/dpkg/arch populated with both am64
and i386, and trigger this bug.
The upstream test suite has been run with the bug trigger in place,
and no tests have been found that would fail because of this bug
(other than the check for apparmor DENIED logs). Even so, this influx
of apparmor logs can be troubling, or we could have missed a scenario
where it really triggers an incorrect behavior in the Pro client.
Given that the fix is simple, and easy to test, we decided to proceed
with this SRU.
[ Test Plan ]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
* if other testing is appropriate to perform before landing this update,
this should also be described here.
[ Where problems could occur ]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[ Original Description ]
ubuntu-advantage-tools 32.3~18.04 is causing a new apparmor denial on
Bionic when updating:
[ 8091.769560] audit: type=1400 audit(1717273124.410:121):
apparmor="DENIED" operation="open"
profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch"
pid=10358 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
Fix:
--- /etc/apparmor.d/ubuntu_pro_esm_cache.orig 2024-06-01 22:31:28.276735437 +0200
+++ /etc/apparmor.d/ubuntu_pro_esm_cache 2024-06-01 22:31:07.163884846 +0200
@@ -174,6 +174,8 @@
/etc/dpkg/** r,
+ /var/lib/dpkg/** r,
+
/{,usr/}bin/dpkg mr,
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067810/+subscriptions
