← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 2072489] Re: AppArmor denied errors for ubuntu_pro_apt_news profile

 

This bug was fixed in the package ubuntu-advantage-tools - 33.2~22.04

---------------
ubuntu-advantage-tools (33.2~22.04) jammy; urgency=medium

  * Backport 33.2 to jammy (LP: #2069237)

ubuntu-advantage-tools (33.2) oracular; urgency=medium

  * d/apparmor: add apt-news access to package information on the system
    (LP: #2072489) (GH: #3193)

ubuntu-advantage-tools (33.1) oracular; urgency=medium

  * New upstream release 33.1: (LP: #2060769)
    - system:
      + always pass C.UTF8 as the language when calling a subprocess
      + ignore utf-8 decode errors on subprocess output

ubuntu-advantage-tools (33) oracular; urgency=medium

  * d/apparmor: adjust the esm_cache apparmor profile to allow reading of dpkg
    data directory (LP: #2067810) (GH: #3137)
  * New upstream release 33 (LP: #2069237)
    - apt: use Python bindings instead of apt CLI to query for installed
      packages (LP: #2060769) (LP: #2068744)
    - beta: drop support for beta services
    - contracts: add support for contracts which target a specific series
    - fips: change enable functionality to ensure all packages with a FIPS
      candidate are upgraded to the FIPS version (GH: #2667)
    - fix:
      + add the current_status field to the plan api return object
      + change recommended attach method to magic attach (GH: #3040)
    - livepatch: prefer the term 'coverage' instead of 'support' in messaging
      (GH: #3063)
    - realtime:
      + auto-select the raspi variant when appropriate
      + inform the user when auto-selecting a variant

 -- Lucas Moura <lucas.moura@xxxxxxxxxxxxx>  Thu, 18 Jul 2024 11:20:14
-0400

** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

** Changed in: ubuntu-advantage-tools (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2072489

Title:
  AppArmor denied errors for ubuntu_pro_apt_news profile

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Released
Status in ubuntu-advantage-tools source package in Focal:
  Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Released
Status in ubuntu-advantage-tools source package in Noble:
  Fix Released

Bug description:
  [ Impact ]

  When the APT news available for a machine have a package+version
  selector, the service needs access to dpkg/apt data to verify package
  installation status. This is not permitted in the ubtunu_pro_apt_news
  profile, and is triggering DENIED log entries. Those entries report
  the service trying to execute /usr/bin/dpkg and accessing various
  /var/lib/apt/lists/ files, which it should be able to do.

  To reproduce this, one can configure a simple http server and serve an
  apt-news JSON using a package selector. The Pro Client test suite has
  an example for how that is done in features/apt_messages.feature.
  Then, remove the apt stamp and start the apt-news service, steps which
  are described in the test case. By chance, at the time of this
  writing, there are actual apt-news messages with package selectors for
  Jammy+, which made identifying the issue a lot easier.

  The solution here is simply allow the service to access the files it
  needs.

  [ Test Plan ]

  There is a test scenario in the Pro Client CI which was modified to catch those DENIED messages when they happen.
  (APT news selectors).
  - Run the test using the package in the archive, see it fail
  - Run it using the version in proposed, see it pass

  This test will be executed as part of the verification of the main SRU
  bug (LP: #2069237) for release 33.2. This test passing is considered
  enough to mark this bug verification-done.

  [ Where problems could occur ]

  A syntax error in the apparmor profile would prevent it from loading,
  and remove its protection entirely. To account for that, the package
  build process runs an apparmor static check on the generated profiles,
  and if that fails, the package build fails. It could still be
  susceptible to errors at profile load-time regarding the running
  kernel, which is likely different than the running kernel in the
  launchpad builders.

  Another type of mistake that could happen is inadvertently opening up
  the profile more than is needed - but the affected profile do need
  that access to verify the status of installed packages in the system.
  It requests only read permissions on the directories and execute
  permissions on the dpkg binary.

  [ Other Info ]

  Upstream bug report: https://github.com/canonical/ubuntu-pro-
  client/issues/3193

  Unfortunately this wasn't caught by the extensive Pro test suite
  because there was a gap on the test which targets the package
  selectors for apt news, where the CI would run `pro refresh messages`
  to check for outputs rather than actually calling the service. The
  test was updated to start the service using `systemctl` instead.

  [ Original Description ]

  With ubuntu-advantage-tools 32.3.1~22.04 on jammy (22.04.4 LTS), I see
  these errors in my logs once a day:

  Jul  8 17:43:08 yarn-labs kernel: [691764.876662] audit: type=1400 audit(1720431788.377:406): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/var/lib/apt/lists/" pid=503520 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.881552] audit: type=1400 audit(1720431788.381:407): apparmor="DENIED" operation="exec" profile="ubuntu_pro_apt_news" name="/usr/bin/dpkg" pid=503936 comm="python3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.884141] audit: type=1400 audit(1720431788.385:408): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.884577] audit: type=1400 audit(1720431788.385:409): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Z4ikhX" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.885759] audit: type=1400 audit(1720431788.385:410): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.885873] audit: type=1400 audit(1720431788.385:411): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Awmdfp" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.886077] audit: type=1400 audit(1720431788.385:412): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.889614] audit: type=1400 audit(1720431788.389:413): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.neWaMc" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.889781] audit: type=1400 audit(1720431788.389:414): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  Jul  8 17:43:08 yarn-labs kernel: [691764.889816] audit: type=1400 audit(1720431788.389:415): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.5aSBV3" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2072489/+subscriptions