Services fail to start in noble deployed with TPM+FDE
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
cups (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
rsyslog (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
sssd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
systemd (Ubuntu) |
Confirmed
|
High
|
Nick Rosbrook |
Bug Description
What's known so far:
- 24.04 desktop deployed with TPM+FDE shows this bug
- services confined with apparmor that need to access something in /run/systemd (like the notify socket) fail to do so, even if the apparmor profile is in complain mode. And the apparmor profile does already have rules to allow that access
- only after running aa-disable <path> can the service start fine
- paths logged by the apparmor DENIED or ALLOWED messages are missing the "/run" prefix from "/run/systemd/
- When we add rules to the profile using "/systemd/...." (i.e., also dropping the /run prefix), then it works
- other access in /run/systemd/ are also blocked, but the most noticeable one is the notify mechanism
- comment #2 also states that azure CVM images are also impacted
- comment #4 has instructions on how to create such a VM locally with LXD vms
Original description follows:
This might be related to #2064088
The rsyslog service is continually timing out and restarting. If I use a service drop-in file and change the 'Type' from 'notify' to 'simple', the service starts and appears to work normally.
In the journal, I can see the attached apparmor errors. I can't make sense of them, but if it's a similar issue to #2064088, then I suspect apparmor is preventing the systemd notify function from alerting systemd that the service is up and running.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: rsyslog 8.2312.0-3ubuntu9
ProcVersionSign
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu2
Architecture: amd64
CasperMD5CheckM
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 29 10:37:46 2024
ProcEnviron:
LANG=en_GB.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
XDG_RUNTIME_
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
affects: | rsyslog (Ubuntu) → apparmor (Ubuntu) |
affects: | apparmor (Ubuntu) → rsyslog (Ubuntu) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in systemd (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Nick Rosbrook (enr0n) |
Azure CVM images are impacted by the same issue. I see on #2064088 that this is an tpm-backed FDE system. So I think it's the same problem here if those desktop images use an systemd-based initramfs.
For now I suspect that the issue is due to systemd starting services and setting up UNIX sockets (eg /run/systemd/ journal/ dev-log, /run/systemd/notify and others) before doing the pivot_root and reexec. Then, when apparmor tries to resolve the path of the peer socket it fails here[1] I believe.
[1] https:/ /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/noble/ tree/fs/ d_path. c#n125