os-prober exits prematurely with "logger: socket /dev/log: Protocol wrong type for socket"

Bug #1826294 reported by Dara Poon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor Profiles
Undecided
Unassigned
os-prober (Ubuntu)
Undecided
Unassigned

Bug Description

Failure occurs on Ubuntu 16.04 with the apparmor-profiles-2.10.95-0ubuntu2.10 package installed.

Running update-grub will run /usr/bin/os-prober, which spews about a dozen of the following line to stderr:

    logger: socket /dev/log: Protocol wrong type for socket

… but fails to report the existence of some installed operating systems as expected.

Furthermore, /var/log/messages contains:

    kernel: audit: type=1400 audit(1556043066.679:11460): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="syslog-ng" name="dev/log" pid=28566 comm="logger" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Here is a stripped-down skeleton of the /usr/bin/os-prober script, which demonstrates the problem:

    #!/bin/sh
    set -e -x

    newns () {
      [ "$OS_PROBER_NEWNS" ] || exec /usr/lib/os-prober/newns "$0" "$@"
    }

    log() {
      logger -t "$(basename "$0")" "$@"
    }

    debug() {
      log "debug: $@"
    }

    ls -l /dev/log
    debug "Hello world"
    newns "$@"

The expected behavior is that it should write "debug: os-prober-testcase Hello world" to /var/log/messages twice. However, it only succeeds in writing "Hello world" once. After the script respawns itself with /usr/lib/os-prober/newns (which is like `unshare -m`), the second attempt to write to /dev/log fails as described above.

Since the os-prober Bash script runs with the -e flag, any error, even just a logging error, causes the script to terminate prematurely. (Arguably, the log() function should call `logger -t "$(basename "$0")" "$@" || :` so that logging failures aren't fatal.)

The fix, for me, is to edit /etc/apparmor.d/sbin.syslog-ng, and change

    profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain) {\
      …
    }

to

    profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain,attach_disconnected) {
      …
    }

… then run `aa-complain sbin.syslog-ng` and `service syslog-ng restart`, before running update-grub again. I assume that similar fixes would be required for the other logging daemons.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers