os-release by apparmor

Andreas Hasenack Tue, 14 May 2024 02:05:33 -0700

** Description changed:

+ [ Impact ]
+ 
+ On systems where /etc/os-release is an actual file instead of a symlink
+ to /usr/lib/os-release, the apparmor profile ubuntu_pro_esm_cache will
+ block access to it. The existing profile only allows access to
+ /usr/lib/os-release (via globbing rules written in other profiles that
+ are being included).
+ 
+ This results in the esm-cache.service failing to run:
+ 
+ May 13 19:17:29 j-uat-2065573 python3[3490]: ["2024-05-13T19:17:29.370",
+ "ERROR", "ubuntupro.lib.esm_cache", "main", 17, "Error updating the
+ cache: [Errno 13] Permission denied: '/etc/os-release'", {}]
+ 
+ 
+ [ Test Plan ]
+ 
+ Keep sudo dmesg -wT | grep ubuntu_pro running in a terminal (in the same
+ VM, if testing in a VM, or in the host, if testing with a LXD
+ container), and then run this on the system being tested (LXD or VM):
+ 
+ sudo rm /etc/os-release
+ sudo cp /usr/lib/os-release /etc
+ sudo rm -rf /var/lib/apt/periodic/*
+ sudo systemctl start esm-cache.service
+ 
+ there should be no apparmor DENIED messages for an access to /etc/os-
+ release in the dmesg output. Additionally, /var/log/ubuntu-advantage.log
+ should not have a permission denied error referring to /etc/os-release.
+ 
+ Additionally, for a more surgical test, also run these:
+ 
+ sudo rm /etc/os-release
+ sudo cp /usr/lib/os-release /etc
+ sudo aa-exec -p ubuntu_pro_esm_cache cat /etc/os-release
+ 
+ On a system with the fixed apparmor profile, you should see the contents
+ of /etc/os-release. With the bug, the last command above will return a
+ permission denied error and dmesg will show a corresponding apparmor
+ DENIED error.
+ 
+ [ Where problems could occur ]
+ 
+ The fix is to include a rule to allow access to /etc/os-release, and
+ /usr/lib/os-release too (even though that was covered already via other
+ apparmor abstractions being included).
+ 
+ We don't think there is an additional security risk by this new allow
+ rule, and in fact, it should probably be covered by some base
+ abstraction in the future.
+ 
+ The risk being introduced by this fix is a syntax error on the profile,
+ but that is covered by the package build which runs a syntax check.
+ 
+ The other riks is that this rule could only be correct for certain
+ ubuntu releases, and not older ones like xenial, but this is a very
+ simple file access rule, which is something very old apparmor profiles
+ understand already.
+ 
+ [ Other Info ]
+ This was found by the CI system of a contributor who happened to be including 
proposed packages in their testing, and that for some reason does not have 
/etc/os-release as a symlink. We are unsure why /etc/os-release is not a 
symlink, but nevertheless it's a valid scenario, and should be fixed in the 
apparmor profile.
+ 
+ [ Original Description ]
+ 
  We just caught a regression in our CI: https://github.com/cockpit-
  project/bots/pull/6373
  
  An unexpected apparmor denial is logged in the journal:
  
  May 13 08:49:01 ubuntu systemd[1]: Starting Update APT News...
  May 13 08:49:01 ubuntu systemd[1]: Starting Update the local ESM caches...
  May 13 08:49:02 ubuntu PackageKit[2370]: refresh-cache transaction 
/17_aebebede from uid 0 finished with success after 384ms
  May 13 08:49:02 ubuntu audit[2667]: AVC apparmor="DENIED" operation="open" 
profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=2667 comm="python3" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  May 13 08:49:02 ubuntu kernel: kauditd_printk_skb: 59 callbacks suppressed
  May 13 08:49:02 ubuntu kernel: audit: type=1400 audit(1715590142.157:71): 
apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" 
name="/etc/os-release" pid=2667 comm="python3" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  May 13 08:49:02 ubuntu python3[2667]: ["2024-05-13T08:49:02.172", "ERROR", 
"ubuntupro.lib.esm_cache", "main", 17, "Error updating the cache: [Errno 13] 
Permission denied: '/etc/os-release'", {}]
  May 13 08:49:02 ubuntu systemd[1]: esm-cache.service: Deactivated 
successfully.
  May 13 08:49:02 ubuntu systemd[1]: Finished Update the local ESM caches.
  May 13 08:49:02 ubuntu systemd[1]: apt-news.service: Deactivated successfully.
  May 13 08:49:02 ubuntu systemd[1]: Finished Update APT News.
  
+ The relevant change since the last (working) state is that these
+ packages got updated:
  
- The relevant change since the last (working) state is that these packages got 
updated:
- 
-   ubuntu-advantage-tools (31.2.3~22.04 -> 32~22.04)
-   ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
-   ubuntu-pro-client-l10n (31.2.3~22.04 -> 32~22.04)
+   ubuntu-advantage-tools (31.2.3~22.04 -> 32~22.04)
+   ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
+   ubuntu-pro-client-l10n (31.2.3~22.04 -> 32~22.04)


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2065573

Title:
  esm-cache.service denied access to /etc/os-release by apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2065573] Re: esm-cache.service denied access to /etc/os-release by apparmor

Reply via email to