group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #47991
[Bug 2072489] Re: AppArmor denied errors for ubuntu_pro_apt_news profile
This bug was fixed in the package ubuntu-advantage-tools - 33.2~20.04
---------------
ubuntu-advantage-tools (33.2~20.04) focal; urgency=medium
* Backport 33.2 to focal (LP: #2069237)
ubuntu-advantage-tools (33.2) oracular; urgency=medium
* d/apparmor: add apt-news access to package information on the system
(LP: #2072489) (GH: #3193)
ubuntu-advantage-tools (33.1) oracular; urgency=medium
* New upstream release 33.1: (LP: #2060769)
- system:
+ always pass C.UTF8 as the language when calling a subprocess
+ ignore utf-8 decode errors on subprocess output
ubuntu-advantage-tools (33) oracular; urgency=medium
* d/apparmor: adjust the esm_cache apparmor profile to allow reading of dpkg
data directory (LP: #2067810) (GH: #3137)
* New upstream release 33 (LP: #2069237)
- apt: use Python bindings instead of apt CLI to query for installed
packages (LP: #2060769) (LP: #2068744)
- beta: drop support for beta services
- contracts: add support for contracts which target a specific series
- fips: change enable functionality to ensure all packages with a FIPS
candidate are upgraded to the FIPS version (GH: #2667)
- fix:
+ add the current_status field to the plan api return object
+ change recommended attach method to magic attach (GH: #3040)
- livepatch: prefer the term 'coverage' instead of 'support' in messaging
(GH: #3063)
- realtime:
+ auto-select the raspi variant when appropriate
+ inform the user when auto-selecting a variant
-- Lucas Moura <lucas.moura@xxxxxxxxxxxxx> Thu, 18 Jul 2024 11:20:13
-0400
** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2072489
Title:
AppArmor denied errors for ubuntu_pro_apt_news profile
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
Fix Released
Status in ubuntu-advantage-tools source package in Focal:
Fix Released
Status in ubuntu-advantage-tools source package in Jammy:
Fix Released
Status in ubuntu-advantage-tools source package in Noble:
Fix Released
Bug description:
[ Impact ]
When the APT news available for a machine have a package+version
selector, the service needs access to dpkg/apt data to verify package
installation status. This is not permitted in the ubtunu_pro_apt_news
profile, and is triggering DENIED log entries. Those entries report
the service trying to execute /usr/bin/dpkg and accessing various
/var/lib/apt/lists/ files, which it should be able to do.
To reproduce this, one can configure a simple http server and serve an
apt-news JSON using a package selector. The Pro Client test suite has
an example for how that is done in features/apt_messages.feature.
Then, remove the apt stamp and start the apt-news service, steps which
are described in the test case. By chance, at the time of this
writing, there are actual apt-news messages with package selectors for
Jammy+, which made identifying the issue a lot easier.
The solution here is simply allow the service to access the files it
needs.
[ Test Plan ]
There is a test scenario in the Pro Client CI which was modified to catch those DENIED messages when they happen.
(APT news selectors).
- Run the test using the package in the archive, see it fail
- Run it using the version in proposed, see it pass
This test will be executed as part of the verification of the main SRU
bug (LP: #2069237) for release 33.2. This test passing is considered
enough to mark this bug verification-done.
[ Where problems could occur ]
A syntax error in the apparmor profile would prevent it from loading,
and remove its protection entirely. To account for that, the package
build process runs an apparmor static check on the generated profiles,
and if that fails, the package build fails. It could still be
susceptible to errors at profile load-time regarding the running
kernel, which is likely different than the running kernel in the
launchpad builders.
Another type of mistake that could happen is inadvertently opening up
the profile more than is needed - but the affected profile do need
that access to verify the status of installed packages in the system.
It requests only read permissions on the directories and execute
permissions on the dpkg binary.
[ Other Info ]
Upstream bug report: https://github.com/canonical/ubuntu-pro-
client/issues/3193
Unfortunately this wasn't caught by the extensive Pro test suite
because there was a gap on the test which targets the package
selectors for apt news, where the CI would run `pro refresh messages`
to check for outputs rather than actually calling the service. The
test was updated to start the service using `systemctl` instead.
[ Original Description ]
With ubuntu-advantage-tools 32.3.1~22.04 on jammy (22.04.4 LTS), I see
these errors in my logs once a day:
Jul 8 17:43:08 yarn-labs kernel: [691764.876662] audit: type=1400 audit(1720431788.377:406): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/var/lib/apt/lists/" pid=503520 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.881552] audit: type=1400 audit(1720431788.381:407): apparmor="DENIED" operation="exec" profile="ubuntu_pro_apt_news" name="/usr/bin/dpkg" pid=503936 comm="python3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.884141] audit: type=1400 audit(1720431788.385:408): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.884577] audit: type=1400 audit(1720431788.385:409): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Z4ikhX" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.885759] audit: type=1400 audit(1720431788.385:410): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.885873] audit: type=1400 audit(1720431788.385:411): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Awmdfp" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.886077] audit: type=1400 audit(1720431788.385:412): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.889614] audit: type=1400 audit(1720431788.389:413): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.neWaMc" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.889781] audit: type=1400 audit(1720431788.389:414): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Jul 8 17:43:08 yarn-labs kernel: [691764.889816] audit: type=1400 audit(1720431788.389:415): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.5aSBV3" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2072489/+subscriptions