Ubuntu
ubuntu-advantage-tools package

  1. Bug #2067319
  2. Activity log

Activity log for bug #2067319

Date Who What changed Old value New value Message
2024-05-27 19:22:43 Renan Rodrigo bug added bug
2024-05-27 19:28:21 Andreas Hasenack bug added subscriber Andreas Hasenack
2024-05-27 19:28:25 Andreas Hasenack ubuntu-advantage-tools (Ubuntu): status New Confirmed
2024-05-27 19:56:54 Andreas Hasenack ubuntu-advantage-tools (Ubuntu): assignee Andreas Hasenack (ahasenack)
2024-05-27 19:56:58 Andreas Hasenack ubuntu-advantage-tools (Ubuntu): importance Undecided High
2024-05-27 19:57:00 Andreas Hasenack ubuntu-advantage-tools (Ubuntu): status Confirmed In Progress
2024-05-27 19:59:20 Andreas Hasenack description [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin 2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines.
2024-05-27 20:00:25 Andreas Hasenack description [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end 1. https://wiki.debian.org/UsrMerge [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines.
2024-05-28 15:14:01 Renan Rodrigo description [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end 1. https://wiki.debian.org/UsrMerge [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end 1. https://wiki.debian.org/UsrMerge [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. Given the nature of the change needed for this fix, it is very unlikely that we are breaking anything else: we are making the rules more permissive than they were before. However, if any typo is present, we may be breaking the esm-cache.service as mentioned before.
2024-05-28 15:19:56 Renan Rodrigo description [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end 1. https://wiki.debian.org/UsrMerge [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. Given the nature of the change needed for this fix, it is very unlikely that we are breaking anything else: we are making the rules more permissive than they were before. However, if any typo is present, we may be breaking the esm-cache.service as mentioned before. [ Impact ] On ubuntu-advantage-tools v32.2, currently in -proposed, we are hitting apparmor DENIED errors on the apt update hook which executes esm-cache.service. This ONLY happens if the version with the apparmor profiles is installed on a Focal system which has been upgraded from Bionic, using do-release-upgrade. It seems that despite covering /usr/bin/ in the profile on Focal for commands like uname or systemctl, we don't account for /bin/. However, when coming from a Bionic system, /bin/ is an actual folder instead of a symlink (as expected on a fresh Focal machine). This happens because of the usr-merge[1] effort. On fresh focal systems, we have symlinks replacing top-level directories like /bin, /sbin, and others: root@f-pristine:~# ls -la /{bin,lib,lib*,sbin} lrwxrwxrwx 1 root root 7 May 24 21:40 /bin -> usr/bin lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 7 May 24 21:40 /lib -> usr/lib lrwxrwxrwx 1 root root 9 May 24 21:40 /lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 May 24 21:40 /lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 May 24 21:40 /libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 May 24 21:40 /sbin -> usr/sbin In bionic, these are actual directories: root@b:~# ls -lad /{bin,lib,lib*,sbin} drwxr-xr-x 1 root root 2472 Jun 7 2023 /bin drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 438 Jun 7 2023 /lib drwxr-xr-x 1 root root 40 Jun 7 2023 /lib64 drwxr-xr-x 1 root root 3694 Jun 7 2023 /sbin In a focal system that was upgraded from bionic, the usr-merge is not done, and this focal system will retain the bionic top-level directories. Logs: 2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED begin       2024-05-24 03:09:16,344:WARNING:root:May 24 03:09:09 rtp kernel: [237304.232128] audit: type=1400 audit(1716530949.314:82839): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=108713 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.261953] audit: type=1400 audit(1716530949.346:82840): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=108714 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.456301] audit: type=1400 audit(1716530949.538:82841): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=108719 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:09 rtp kernel: [237304.514651] audit: type=1400 audit(1716530949.598:82842): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=108721 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.797550] audit: type=1400 audit(1716530951.878:82843): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache" name="/bin/uname" pid=109364 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:11 rtp kernel: [237306.827422] audit: type=1400 audit(1716530951.910:82844): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109365 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.022790] audit: type=1400 audit(1716530952.106:82845): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/uname" pid=109370 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:12 rtp kernel: [237307.074546] audit: type=1400 audit(1716530952.158:82846): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_esm_cache//cloud_id" name="/bin/systemctl" pid=109372 comm="cloud-id" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       May 24 03:09:14 rtp kernel: [237309.142413] audit: type=1400 audit(1716530954.226:82847): apparmor="DENIED" operation="exec" class="file" namespace="root//lxd-upro-behave-bionic-system-under-test-0524-025458284620_<var-snap-lxd-common-lxd>" profile="ubuntu_pro_apt_news" name="/bin/uname" pid=109856 comm="python3" requested_mask="x" denied_mask="x" fsuid=1000000 ouid=1000000       2024-05-24 03:09:16,344:WARNING:root:XXX apparmor DENIED end 1. https://wiki.debian.org/UsrMerge [ Test Plan ] These were caught by the automated verification tests for v32.2 in -proposed. If all of the automated verification tests pass for the version with the fix (32.3), then that will be considered a verification for this bug as well. The specific tests to be executed for this are: 1. The Bionic to Focal upgrade tests: - features/ubuntu_upgrade.feature:50 Attached upgrade -- @1.2 ubuntu release - features/ubuntu_upgrade.feature:51 Attached upgrade -- @1.3 ubuntu release - features/ubuntu_upgrade_unattached.feature:62 Unattached upgrade -- @1.2 ubuntu release 2. The following Focal tests which verify the esm cache working: - features/unattached_commands.feature:370 esm cache failures don't generate errors -- @1.2 ubuntu release - all of features/security-status.feature [ Where problems could occur ] The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. Given the nature of the change needed for this fix, it is very unlikely that we are breaking anything else: we are making the rules more permissive than they were before. However, if any typo is present, we may be breaking the esm-cache.service as mentioned before.
2024-05-28 21:20:26 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Noble): status New Fix Committed
2024-05-28 21:20:27 Andreas Hasenack bug added subscriber Ubuntu Stable Release Updates Team
2024-05-28 21:20:29 Andreas Hasenack bug added subscriber SRU Verification
2024-05-28 21:20:32 Andreas Hasenack tags verification-needed verification-needed-noble
2024-05-28 21:22:12 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Mantic): status New Fix Committed
2024-05-28 21:22:17 Andreas Hasenack tags verification-needed verification-needed-noble verification-needed verification-needed-mantic verification-needed-noble
2024-05-28 21:24:04 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Jammy): status New Fix Committed
2024-05-28 21:24:09 Andreas Hasenack tags verification-needed verification-needed-mantic verification-needed-noble verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble
2024-05-28 21:25:50 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Focal): status New Fix Committed
2024-05-28 21:25:55 Andreas Hasenack tags verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble
2024-05-28 21:27:32 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Bionic): status New Fix Committed
2024-05-28 21:27:37 Andreas Hasenack tags verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble
2024-05-28 21:29:13 Andreas Hasenack ubuntu-advantage-tools (Ubuntu Xenial): status New Fix Committed
2024-05-28 21:29:18 Andreas Hasenack tags verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial
2024-05-29 02:42:03 Lucas Albuquerque Medeiros de Moura attachment added test-results-32.3.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067319/+attachment/5783774/+files/test-results-32.3.tar.xz
2024-05-29 02:42:55 Lucas Albuquerque Medeiros de Moura tags verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-mantic verification-done-noble verification-done-xenial
2024-05-29 15:03:56 Launchpad Janitor ubuntu-advantage-tools (Ubuntu): status In Progress Fix Released
2024-05-29 15:05:10 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Noble): status Fix Committed Fix Released
2024-05-29 15:05:46 Andreas Hasenack removed subscriber Ubuntu Stable Release Updates Team
2024-05-29 15:06:08 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Mantic): status Fix Committed Fix Released
2024-05-29 15:06:34 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Jammy): status Fix Committed Fix Released
2024-05-29 15:06:56 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Focal): status Fix Committed Fix Released
2024-05-29 15:07:19 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Bionic): status Fix Committed Fix Released
2024-05-29 15:07:43 Launchpad Janitor ubuntu-advantage-tools (Ubuntu Xenial): status Fix Committed Fix Released