[Bug 2067319] Re: After upgrading from bionic to focal, esm-cache.service hits apparmor denials

Renan Rodrigo Tue, 28 May 2024 08:20:37 -0700

** Description changed:

  [ Impact ]
  
  On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting
  apparmor DENIED errors on the apt update hook which executes esm-
  cache.service.
  
  This ONLY happens if the version with the apparmor profiles is installed
  on a Focal system which has been upgraded from Bionic, using do-release-
  upgrade.
  
  It seems that despite covering /usr/bin/ in the profile on Focal for
  commands like uname or systemctl, we don't account for /bin/. However,
  when coming from a Bionic system, /bin/ is an actual folder instead of a
  symlink (as expected on a fresh Focal machine).
  
  This happens because of the usr-merge[1] effort. On fresh focal systems, we 
have symlinks replacing top-level directories like /bin, /sbin, and others:
  root@f-pristine:~# ls -la /{bin,lib,lib*,sbin}
  lrwxrwxrwx 1 root root  7 May 24 21:40 /bin -> usr/bin
  lrwxrwxrwx 1 root root  7 May 24 21:40 /lib -> usr/lib
  lrwxrwxrwx 1 root root  7 May 24 21:40 /lib -> usr/lib
  lrwxrwxrwx 1 root root  9 May 24 21:40 /lib32 -> usr/lib32
  lrwxrwxrwx 1 root root  9 May 24 21:40 /lib64 -> usr/lib64
  lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32
  lrwxrwxrwx 1 root root  8 May 24 21:40 /sbin -> usr/sbin
  
  In bionic, these are actual directories:
  root@b:~# ls -lad /{bin,lib,lib*,sbin}
  drwxr-xr-x 1 root root 2472 Jun  7  2023 /bin
  drwxr-xr-x 1 root root  438 Jun  7  2023 /lib
  drwxr-xr-x 1 root root  438 Jun  7  2023 /lib
  drwxr-xr-x 1 root root   40 Jun  7  2023 /lib64
  drwxr-xr-x 1 root root 3694 Jun  7  2023 /sbin
  
  In a focal system that was upgraded from bionic, the usr-merge is not
  done, and this focal system will retain the bionic top-level
  directories.
  
  Logs:
  2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin
        2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: 
[237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" 
operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 
audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 
audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 
audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 
audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 
audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 
audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 
audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 
comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 
audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" 
namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>"
 profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" 
requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000
        2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end
  
- 
  1. https://wiki.debian.org/UsrMerge
- 
  
  [ Test Plan ]
  
  These were caught by the automated verification tests for v32.2 in
  -proposed. If all of the automated verification tests pass for the
  version with the fix (32.3), then that will be considered a verification
  for this bug as well.
  
  [ Where problems could occur ]
  
  The fix edits the template for the ubuntu_pro_esm_cache apparmor
  profile. If mistakes were made, it may cause new apparmor denials or
  other related issues, ultimately meaning esm-cache.service wouldn't run
  properly, preventing esm update notifications from being displayed on
  unattached machines.
+ 
+ Given the nature of the change needed for this fix, it is very unlikely
+ that we are breaking anything else: we are making the rules more
+ permissive than they were before. However, if any typo is present, we
+ may be breaking the esm-cache.service as mentioned before.


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067319

Title:
  After upgrading from bionic to focal, esm-cache.service hits apparmor
  denials

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067319] Re: After upgrading from bionic to focal, esm-cache.service hits apparmor denials

Reply via email to