** Description changed: [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm- cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release- upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin 2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end - 1. https://wiki.debian.org/UsrMerge - [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. + + Given the nature of the change needed for this fix, it is very unlikely + that we are breaking anything else: we are making the rules more + permissive than they were before. However, if any typo is present, we + may be breaking the esm-cache.service as mentioned before.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067319 Title: After upgrading from bionic to focal, esm-cache.service hits apparmor denials To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs