Apparmor denial on /var/lib/dpkg/arch
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) | Status tracked in Oracular | |||||
Xenial |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Bionic |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Focal |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Jammy |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Mantic |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Noble |
Fix Released
|
Medium
|
Andreas Hasenack | |||
Oracular |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
[ Impact ]
Systems with a /var/lib/dpkg/arch file will trigger an apparmor DENIED log entry when the esm-cache service tries to access that file.
Not all systems will have /var/lib/dpkg/arch. It can be created, probably among other scenarios, when a subarchitecture is added. For example, on amd64 systems, it's quite common to also have i386 added via the command
sudo dpkg --add-architecture i386
That is enough to create /var/lib/dpkg/arch populated with both am64 and i386, and trigger this bug.
Within the Pro client, we determined that the bug is triggered when a) that file exists; and b) when the Pro client, as part of running the esm-cache.service service, calls `apt-cache policy`. That will trigger an access to /var/lib/dpkg/arch under the dpkg and other apparmor subprofiles defined in /etc/apparmor.
After learning of this bug, we ran the upstream test suite with the bug trigger in place, without the fix, and no tests have been found that failed because of this bug (other than the check for apparmor DENIED logs). Even so, this influx of apparmor logs can be troubling and noisy, or we could have missed a scenario where it really triggers an incorrect behavior in the Pro client. Given that the fix is simple, and easy to test, we decided to proceed with this SRU.
[ Test Plan ]
a) very specific test for this issue. Needs to be run in a VM, not LXD, otherwise apparmor will block /dev/pts/* which affects this test (but does not affect the esm-cache.service -- see test (b))
- install the Pro client version to be tested
- run these commands:
sudo touch /var/lib/dpkg/arch
sudo aa-exec -p ubuntu_
sudo aa-exec -p ubuntu_
Without the fix, they will produce apparmor DENIED messages in the dmesg logs showing an attempted access to /var/lib/dpkg/arch, and in addition to that, the dpkg one will fail (apt-cache policy won't fail)
b) esm-cache.service test (only in an LTS)
- install the Pro client version to be tested
- run these commands in sequence as root:
touch /var/lib/dpkg/arch
rm -rf /var/lib/
systemctl start esm-cache.service
Without the fix, the dmesg logs will contain apparmor DENIED messages showing attempted accesses to /var/lib/dpkg/arch.
[ Where problems could occur ]
A syntax error in the apparmor profile would prevent it from loading, and remove its protection entirely. To account for that, the package build process runs an apparmor static check on the generated profiles, and if that fails, the package build fails. It could still be susceptible to errors at profile load-time regarding the running kernel, which is likely different than the running kernel in the launchpad builders.
Another type of mistake that could happen is inadvertently opening up the profile more than is needed. But the extra access we are giving here is read-only, and the affected profiles do need that access.
[ Other Info ]
Upstream bug report: https:/
Unfortunately this wasn't caught by the extensive Pro test suite because the test units (vms, lxd containers) never had a /var/lib/dpkg/arch file in them. Likewise, the development container where this profile was first created also didn't have that file.
[ Original Description ]
ubuntu-
[ 8091.769560] audit: type=1400 audit(171727312
Fix:
--- /etc/apparmor.
+++ /etc/apparmor.
@@ -174,6 +174,8 @@
/etc/dpkg/** r,
+ /var/lib/dpkg/** r,
+
/{
}
Related branches
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
- Renan Rodrigo (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 84 lines (+30/-1)4 files modifieddebian/apparmor/ubuntu_pro_esm_cache.jinja2 (+9/-0)
debian/changelog (+12/-0)
features/steps/machines.py (+8/-0)
uaclient/version.py (+1/-1)
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Mantic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Noble): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Mantic): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Noble): | |
status: | New → In Progress |
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Mantic): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Noble): | |
importance: | Undecided → Medium |
Changed in ubuntu-advantage-tools (Ubuntu Oracular): | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- New Apparmor denial with ubuntu-advantage-tools on bionic + Apparmor denial on /var/lib/dpkg/arch |
Hi,
we haven't seen this denial in our testing, could you please help to narrow it down to which conditions trigger it? Can you perhaps map the apparmor deny timestamp with something in your system logs, like /var/log/syslog or /var/log/ ubuntu- advantage. log?