2024-05-23 15:01:43 |
Grant Orndorff |
bug |
|
|
added bug |
2024-05-23 15:04:01 |
Grant Orndorff |
description |
[ Impact ]
The new apparmor profile for esm-cache.service has sub profiles for subprocesses and some of them were incomplete, resulting in the following apparmor DENIED messages in the following situations:
On xenial, after a `pro attach`:
2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED begin
2024-05-21 15:22:29,438:WARNING:root:May 21 19:20:58 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 63.187079] audit: type=1400 audit(1716319258.652:25): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache_systemd_detect_virt" pid=3582 comm="systemd-detect-" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253406] audit: type=1400 audit(1716319259.720:26): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253671] audit: type=1400 audit(1716319259.720:27): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253817] audit: type=1400 audit(1716319259.720:28): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253952] audit: type=1400 audit(1716319259.720:29): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254086] audit: type=1400 audit(1716319259.720:30): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254247] audit: type=1400 audit(1716319259.720:31): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254406] audit: type=1400 audit(1716319259.720:32): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254537] audit: type=1400 audit(1716319259.720:33): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254665] audit: type=1400 audit(1716319259.720:34): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED end
On focal, after a `pro attach`:
2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED begin
2024-05-21 15:25:25,975:WARNING:root:May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.279:43): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3114 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:44): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:45): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:46): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:47): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:48): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.553:49): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3322 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.709:50): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.713:51): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:52): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:53): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:54): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED end
[ Test Plan ]
These were caught by the automated verification tests for v32.1 in -proposed. If all of the automated verification tests pass for the version with this fix (32.2), then that will be considered a verification for this bug as well.
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. |
[ Impact ]
The new apparmor profile for esm-cache.service has sub profiles for subprocesses and some of them were incomplete, resulting in the following apparmor DENIED messages in the following situations:
On xenial, after a `pro attach`:
2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED begin
2024-05-21 15:22:29,438:WARNING:root:May 21 19:20:58 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 63.187079] audit: type=1400 audit(1716319258.652:25): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache_systemd_detect_virt" pid=3582 comm="systemd-detect-" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253406] audit: type=1400 audit(1716319259.720:26): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253671] audit: type=1400 audit(1716319259.720:27): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253817] audit: type=1400 audit(1716319259.720:28): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.253952] audit: type=1400 audit(1716319259.720:29): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254086] audit: type=1400 audit(1716319259.720:30): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254247] audit: type=1400 audit(1716319259.720:31): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254406] audit: type=1400 audit(1716319259.720:32): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254537] audit: type=1400 audit(1716319259.720:33): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
May 21 19:20:59 upro-behave-xenial-system-under-test-0521-151920682865 kernel: [ 64.254665] audit: type=1400 audit(1716319259.720:34): apparmor="DENIED" operation="ptrace" profile="ubuntu_pro_esm_cache//ps" pid=3589 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"
2024-05-21 15:22:29,438:WARNING:root:XXX apparmor DENIED end
On focal, after a `pro attach`:
2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED begin
2024-05-21 15:25:25,975:WARNING:root:May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.279:43): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3114 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:44): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:45): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:46): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:47): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:33 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319473.447:48): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3115 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.553:49): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemd_detect_virt" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3322 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.709:50): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.713:51): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:52): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:53): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/environ" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 21 19:24:44 upro-behave-focal-system-under-test-0521-152234400502 kernel: audit: type=1400 audit(1716319484.717:54): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache_systemctl" name="/proc/1/sched" pid=3323 comm="systemctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2024-05-21 15:25:25,975:WARNING:root:XXX apparmor DENIED end
[ Test Plan ]
These were caught by the automated verification tests for v32.1 in -proposed. If all of the automated verification tests pass for the version with this fix (32.2), then that will be considered a verification for this bug as well.
The specific tests that found this issue can be run with the following command:
tox run -e behave -- -D install_from=proposed features/attach_validtoken.feature:194 features/attach_validtoken.feature:196
[ Where problems could occur ]
The fix edits the template for the ubuntu_pro_esm_cache apparmor profile. If mistakes were made, it may cause new apparmor denials or other related issues, ultimately meaning esm-cache.service wouldn't run properly, preventing esm update notifications from being displayed on unattached machines. |
|
2024-05-23 15:40:12 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2024-05-23 20:45:15 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Noble): status |
New |
Fix Committed |
|
2024-05-23 20:45:17 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-05-23 20:45:22 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2024-05-23 20:45:29 |
Andreas Hasenack |
tags |
|
verification-needed verification-needed-noble |
|
2024-05-23 20:47:14 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Mantic): status |
New |
Fix Committed |
|
2024-05-23 20:47:18 |
Andreas Hasenack |
tags |
verification-needed verification-needed-noble |
verification-needed verification-needed-mantic verification-needed-noble |
|
2024-05-23 20:48:49 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Jammy): status |
New |
Fix Committed |
|
2024-05-23 20:48:55 |
Andreas Hasenack |
tags |
verification-needed verification-needed-mantic verification-needed-noble |
verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble |
|
2024-05-23 20:50:46 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Focal): status |
New |
Fix Committed |
|
2024-05-23 20:50:52 |
Andreas Hasenack |
tags |
verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble |
|
2024-05-23 20:54:04 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Bionic): status |
New |
Fix Committed |
|
2024-05-23 20:54:11 |
Andreas Hasenack |
tags |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble |
|
2024-05-23 20:58:38 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
Fix Committed |
|
2024-05-23 20:58:43 |
Andreas Hasenack |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial |
|
2024-05-24 13:07:34 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
New |
Fix Released |
|
2024-05-29 12:23:48 |
Renan Rodrigo |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial |
verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-mantic verification-done-noble verification-done-xenial |
|
2024-05-29 15:05:10 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Noble): status |
Fix Committed |
Fix Released |
|
2024-05-29 15:05:42 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2024-05-29 15:06:08 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2024-05-29 15:06:34 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2024-05-29 15:06:56 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2024-05-29 15:07:19 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2024-05-29 15:07:43 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|