← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2067810] Re: Apparmor denial on /var/lib/dpkg/arch

 

Hello L, or anyone else affected,

Accepted ubuntu-advantage-tools into noble-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/33~24.04 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
noble to verification-done-noble. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-noble. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
       Status: Fix Released => Fix Committed

** Tags removed: verification-done-noble
** Tags added: verification-needed-noble

** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
       Status: Fix Released => Fix Committed

** Tags removed: verification-done-jammy
** Tags added: verification-needed-jammy

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2067810

Title:
  Apparmor denial on /var/lib/dpkg/arch

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Committed
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Committed
Status in ubuntu-advantage-tools source package in Focal:
  Fix Committed
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Committed
Status in ubuntu-advantage-tools source package in Mantic:
  Fix Released
Status in ubuntu-advantage-tools source package in Noble:
  Fix Committed
Status in ubuntu-advantage-tools source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

  Systems with a /var/lib/dpkg/arch file will trigger an apparmor DENIED
  log entry when the esm-cache service tries to access that file.

  Not all systems will have /var/lib/dpkg/arch. It can be created,
  probably among other scenarios, when a subarchitecture is added. For
  example, on amd64 systems, it's quite common to also have i386 added
  via the command

    sudo dpkg --add-architecture i386

  That is enough to create /var/lib/dpkg/arch populated with both am64
  and i386, and trigger this bug.

  Within the Pro client, we determined that the bug is triggered when a)
  that file exists; and b) when the Pro client, as part of running the
  esm-cache.service service, calls `apt-cache policy`. That will trigger
  an access to /var/lib/dpkg/arch under the dpkg and other apparmor
  subprofiles defined in /etc/apparmor.d/ubuntu_pro_esm_cache, and
  result in apparmor denying that access.

  After learning of this bug, we ran the upstream test suite with the
  bug trigger in place, without the fix, and no tests have been found
  that failed because of this bug (other than the check for apparmor
  DENIED logs). Even so, this influx of apparmor logs can be troubling
  and noisy, or we could have missed a scenario where it really triggers
  an incorrect behavior in the Pro client. Given that the fix is simple,
  and easy to test, we decided to proceed with this SRU.

  [ Test Plan ]

  a) very specific test for this issue. Needs to be run in a VM, not
  LXD, otherwise apparmor will block /dev/pts/* which affects this test
  (but does not affect the esm-cache.service -- see test (b))

  - install the Pro client version to be tested
  - run these commands:

    sudo touch /var/lib/dpkg/arch
    sudo aa-exec -p ubuntu_pro_esm_cache//dpkg dpkg --print-foreign-architectures
    sudo aa-exec -p ubuntu_pro_esm_cache apt-cache policy

  Without the fix, they will produce apparmor DENIED messages in the
  dmesg logs showing an attempted access to /var/lib/dpkg/arch, and in
  addition to that, the dpkg one will fail (apt-cache policy won't fail)

  b) esm-cache.service test (only in an LTS)
  - install the Pro client version to be tested
  - run these commands in sequence as root:

    touch /var/lib/dpkg/arch
    rm -rf /var/lib/apt/periodic/*
    systemctl start esm-cache.service

  Without the fix, the dmesg logs will contain apparmor DENIED messages
  showing attempted accesses to /var/lib/dpkg/arch.

  [ Where problems could occur ]

  A syntax error in the apparmor profile would prevent it from loading,
  and remove its protection entirely. To account for that, the package
  build process runs an apparmor static check on the generated profiles,
  and if that fails, the package build fails. It could still be
  susceptible to errors at profile load-time regarding the running
  kernel, which is likely different than the running kernel in the
  launchpad builders.

  Another type of mistake that could happen is inadvertently opening up
  the profile more than is needed. But the extra access we are giving
  here is read-only, and the affected profiles do need that access.

  [ Other Info ]

  Upstream bug report: https://github.com/canonical/ubuntu-pro-
  client/issues/3137

  Unfortunately this wasn't caught by the extensive Pro test suite
  because the test units (vms, lxd containers) never had a
  /var/lib/dpkg/arch file in them. Likewise, the development container
  where this profile was first created also didn't have that file.

  [ Original Description ]

  ubuntu-advantage-tools 32.3~18.04 is causing a new apparmor denial on
  Bionic when updating:

  [ 8091.769560] audit: type=1400 audit(1717273124.410:121):
  apparmor="DENIED" operation="open"
  profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch"
  pid=10358 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0
  ouid=0

  Fix:

  --- /etc/apparmor.d/ubuntu_pro_esm_cache.orig	2024-06-01 22:31:28.276735437 +0200
  +++ /etc/apparmor.d/ubuntu_pro_esm_cache	2024-06-01 22:31:07.163884846 +0200
  @@ -174,6 +174,8 @@

       /etc/dpkg/** r,

  +    /var/lib/dpkg/** r,
  +
       /{,usr/}bin/dpkg mr,

     }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067810/+subscriptions