** Also affects: ubuntu-advantage-tools (Ubuntu Questing)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: ubuntu-advantage-tools (Ubuntu Noble)
Importance: Undecided
Status: New
** Description changed:
+ [ Impact ]
+
+ CPC reported AppArmor denials when building images on systems where
/sys/firmware/devicetree is present, as seen in the original description below.
+ The fix, present in resolute, is to add the permission to the apparmor
profile.
+
+ [ Test Plan ]
+
+ Run https://github.com/canonical/ubuntu-pro-
+ client/blob/main/sru/release-37/test-apparmor-firmware-access.sh using a
+ version without the fix, and see it fail
+
+ Run https://github.com/canonical/ubuntu-pro-
+ client/blob/main/sru/release-37/test-apparmor-firmware-access.sh using
+ the version in -proposed, and see it pass
+
+ Remove the hardware mocks from the script, and run with both packages,
+ see it all passes (so no regressions expected)
+
+ [ Where problems could occur ]
+
+ Changing an AppArmor profile always brings two different kinds of risks:
getting more denials than expected, or allowing more than intended.
+ We believe the first concern is not a problem because this change is adding a
permission without removing any of the existing permissions.
+ We believe the second concern is not a problem because this change limits the
permission grant exactly to the path that needs to be accessed, and the change
itself was reviewed and approved by the AppArmor team in the upstream PR, as
seen in: https://github.com/canonical/ubuntu-pro-client/pull/3515
+
+ The outlined test plan is a reinforcement that the change actually fixes
+ the bug.
+
+ [ Other Info ]
+
+ ubuntu-advantage-tools has an SRU exception, but this bug does *not* make use
of it, as we are:
+ - not adding any new feature, this is just a bugfix
+ - not sending this fix to EOSS releases
+
+ [ Original Description ]
+
When the apt update hook in /etc/apt/apt.conf.d/20apt-esm-hook.conf is
run, esm-cache.service will be called which in turn will call
/usr/lib/ubuntu-advantage/esm_cache.py with the ubuntu_pro_esm_cache
apparmor profile defined in /etc/apparmor.d/ubuntu_pro_esm_cache.
When /var/lib/ubuntu-advantage/status.json is not present, the client
will try to access /sys/firmware/devicetree/base/model. On devices
without a devicetree, the file will not be present and generate an INFO
messages, whereas when the device has a devicetree, an apparmor DENIED
audit message will be sent:
[ 66.683094] audit: type=1400 audit(1763047623.421:126):
apparmor="DENIED" operation="open" class="file"
profile="ubuntu_pro_esm_cache"
name="/sys/firmware/devicetree/base/model" pid=1772 comm="python3"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
This access is performed on line 304 in uaclient/system.py:
https://github.com/canonical/ubuntu-pro-
client/blob/36/uaclient/system.py#L304
This can be fixed by adding the following line to the ubuntu_pro_esm_cache
apparmor profile:
/sys/firmware/devicetree/base/model r,
It seems like there is an additional apparmor DENIED message, when esm-
cache.service is run the first time after status.json is removed (tested
on the same machine and reproduced on a different machine):
[1250769.610083] audit: type=1400 audit(1763111087.744:78534):
apparmor="DENIED" operation="open" class="file"
profile="ubuntu_pro_esm_cache_systemd_detect_virt"
name="/sys/firmware/dmi/entries/0-0/raw" pid=619752 comm="systemd-
detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
This happens when systemd-detect-virt is run. It can be fixed by adding
the following line to the ubuntu_pro_esm_cache_systemd_detect_virt
profile defined in the same file in
/etc/apparmor.d/ubuntu_pro_esm_cache:
/sys/firmware/dmi/entries/** r,
** Changed in: ubuntu-advantage-tools (Ubuntu Jammy)
Assignee: (unassigned) => Renan Rodrigo (rr)
** Changed in: ubuntu-advantage-tools (Ubuntu Noble)
Assignee: (unassigned) => Renan Rodrigo (rr)
** Changed in: ubuntu-advantage-tools (Ubuntu)
Assignee: (unassigned) => Renan Rodrigo (rr)
** Changed in: ubuntu-advantage-tools (Ubuntu Questing)
Assignee: (unassigned) => Renan Rodrigo (rr)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2131292
Title:
[SRU] esm_cache.py causes apparmor DENIED audit messages when trying
to access devicetree
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2131292/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
