← Back to team overview

ubuntustudio-bugs team mailing list archive

[Bug 2123870] Re: apparmor several profiles incompatible with new coreutils scheme

 

I'm going to remove the bug tasks that were deemed "invalid", because LP
is already starting to timeout when comments are added here.

** No longer affects: bind9 (Ubuntu)

** No longer affects: chrony (Ubuntu)

** No longer affects: clamav (Ubuntu)

** No longer affects: digikam (Ubuntu)

** No longer affects: docker.io (Ubuntu)

** No longer affects: docker.io-app (Ubuntu)

** No longer affects: fwknop (Ubuntu)

** No longer affects: geoclue-2.0 (Ubuntu)

** No longer affects: ibus-hangul (Ubuntu)

** No longer affects: inspircd (Ubuntu)

** No longer affects: kgeotag (Ubuntu)

** No longer affects: kmail (Ubuntu)

** No longer affects: konqueror (Ubuntu)

** No longer affects: lomiri-download-manager (Ubuntu)

** No longer affects: lxc (Ubuntu)

** No longer affects: marble (Ubuntu)

** No longer affects: mysql-8.4 (Ubuntu)

** No longer affects: onioncircuits (Ubuntu)

** No longer affects: openldap (Ubuntu)

** No longer affects: pollen (Ubuntu)

** No longer affects: postsrsd (Ubuntu)

** No longer affects: privoxy (Ubuntu)

** No longer affects: quassel (Ubuntu)

** No longer affects: rsyslog (Ubuntu)

** No longer affects: squid (Ubuntu)

** No longer affects: sssd (Ubuntu)

** No longer affects: strongswan (Ubuntu)

** No longer affects: swtpm (Ubuntu)

** No longer affects: tcpdump (Ubuntu)

** No longer affects: tor (Ubuntu)

** No longer affects: torbrowser-launcher (Ubuntu)

** No longer affects: unbound (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to digikam in Ubuntu.
https://bugs.launchpad.net/bugs/2123870

Title:
  apparmor several profiles incompatible with new coreutils scheme

Status in akonadi package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in cups package in Ubuntu:
  In Progress
Status in cups-browsed package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  In Progress
Status in isc-dhcp package in Ubuntu:
  In Progress
Status in libvirt package in Ubuntu:
  Fix Released
Status in pollinate package in Ubuntu:
  In Progress
Status in snapd package in Ubuntu:
  In Progress
Status in surf package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Committed

Bug description:
  apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
  binaries are incompatible with  gnu-coreutils v. 9.5-1ubuntu2 released
  on May 08, 2025.   Minimally this looks to affect wg-quick profile.
  But there may be other profiles that are affected.

  
  gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target path which then breaks any apparmor profile which referenced the format /usr/bin or /usr/sbin utility name.

  
  The result is many DENIED operations for any symlinked gnu-coreutils command.

  
  This bug appears to affect any apparmor profile in Ubuntu questing which happens to set file-based mediation rules for any of the symlinked utilities below:

  
  Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: 
  pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  
  2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" 
  name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
  audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
  operation="open" class="file" profile="wg-quick"
  name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick"
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0


  Symlinked utilities due to gnu-coreutils:
  /usr/bin/arch
  /usr/bin/b2sum
  /usr/bin/base32
  /usr/bin/base64
  /usr/bin/basename
  /usr/bin/basenc
  /usr/bin/cat
  /usr/bin/chcon
  /usr/bin/chgrp
  /usr/bin/chmod
  /usr/bin/chown
  /usr/bin/cksum
  /usr/bin/comm
  /usr/bin/cp
  /usr/bin/csplit
  /usr/bin/cut
  /usr/bin/date
  /usr/bin/dd
  /usr/bin/df
  /usr/bin/dir
  /usr/bin/dircolors
  /usr/bin/dirname
  /usr/bin/du
  /usr/bin/echo
  /usr/bin/env
  /usr/bin/expand
  /usr/bin/expr
  /usr/bin/factor
  /usr/bin/false
  /usr/bin/fmt
  /usr/bin/fold
  /usr/bin/groups
  /usr/bin/head
  /usr/bin/hostid
  /usr/bin/id
  /usr/bin/install
  /usr/bin/join
  /usr/bin/link
  /usr/bin/ln
  /usr/bin/logname
  /usr/bin/ls
  /usr/bin/md5sum
  /usr/bin/mkdir
  /usr/bin/mkfifo
  /usr/bin/mknod
  /usr/bin/mktemp
  /usr/bin/mv
  /usr/bin/nice
  /usr/bin/nl
  /usr/bin/nohup
  /usr/bin/nproc
  /usr/bin/numfmt
  /usr/bin/od
  /usr/bin/paste
  /usr/bin/pathchk
  /usr/bin/pinky
  /usr/bin/pr
  /usr/bin/printenv
  /usr/bin/printf
  /usr/bin/ptx
  /usr/bin/pwd
  /usr/bin/readlink
  /usr/bin/realpath
  /usr/bin/rm
  /usr/bin/rmdir
  /usr/bin/runcon
  /usr/bin/seq
  /usr/bin/sha1sum
  /usr/bin/sha224sum
  /usr/bin/sha256sum
  /usr/bin/sha384sum
  /usr/bin/sha512sum
  /usr/bin/shred
  /usr/bin/shuf
  /usr/bin/sleep
  /usr/bin/sort
  /usr/bin/split
  /usr/bin/stat
  /usr/bin/stdbuf
  /usr/bin/stty
  /usr/bin/sum
  /usr/bin/sync
  /usr/bin/tac
  /usr/bin/tail
  /usr/bin/tee
  /usr/bin/test
  /usr/bin/timeout
  /usr/bin/touch
  /usr/bin/tr
  /usr/bin/true
  /usr/bin/truncate
  /usr/bin/tsort
  /usr/bin/tty
  /usr/bin/uname
  /usr/bin/unexpand
  /usr/bin/uniq
  /usr/bin/unlink
  /usr/bin/users
  /usr/bin/vdir
  /usr/bin/wc
  /usr/bin/who
  /usr/bin/whoami
  /usr/bin/yes
  /usr/sbin/chroot


  
  ### steps to reproduce
  lxc launch ubuntu-daily:questing --vm kvm-q
  lxc exec kvm-q bash
  apt-get update --yes
  apt-get install wireguard-tools --yes
  modprobe wireguard
  su - ubuntu
  umask 077
  wg genkey > wg0.key
  wg pubkey < wg0.key > wg0.pub 
  <CTRL-D>
  root@kvm-q:~#  KEY=`cat /home/ubuntu/wg0.key`
  root@kvm-q:~#  PUBKEY=`cat /home/ubuntu/wg0.pub`
  root@kvm-q:~#  cat > /etc/wireguard/wg0.conf <<EOF
  [Interface]
  Address = 192.168.254.1/32
  ListenPort = 51820
  PrivateKey = ${KEY}

  [Peer]
  PublicKey = ${PUBKEY}
  AllowedIPs = 192.168.254.2/32
  EOF

  systemctl restart wg-quick@wg
  echo $?

  journalctl -u wg-quick@wg.service

  ```
  Sep 15 17:49:19 kvm-q systemd[1]: Starting wg-quick@wg.service - WireGuard via wg-quick(8) for wg...
  Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Main process exited, code=exited, status=126/n/a
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Failed with result 'exit-code'.
  Sep 15 17:49:19 kvm-q systemd[1]: Failed to start wg-quick@wg.service - WireGuard via wg-quick(8) for wg.
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions