Bug: esm-cache.service fails if `/etc/os-release` is NOT a symlink to `/usr/lib/os-release`

[panlinux]

Description of the bug

On systems where /etc/os-release is an actual file instead of a symlink to /usr/lib/os-release, the apparmor profile ubuntu_pro_esm_cache will block access to it. The existing profile only allows access to /usr/lib/os-release (via globbing rules written in other profiles that are being included).

Since the target of the symlink is what matters, if /etc/os-release is a symlink to /usr/lib/os-release (normal/common in ubuntu systems), the existing rules allow that access. But if /etc/os-release is an actual file, there is no rule allowing in ubuntu_pro_esm_cache it to be read, and the esm-cache.service fails to start.

root@j-uat-2065573:~# ll /etc/os-release /usr/lib/os-release 
lrwxrwxrwx 1 root root  19 May 13 19:17 /etc/os-release -> /usr/lib/os-release
-rw-r--r-- 1 root root 386 May 13 16:41 /usr/lib/os-release
root@j-uat-2065573:~# rm /etc/os-release
root@j-uat-2065573:~# cp /usr/lib/os-release /etc/
root@j-uat-2065573:~# ll /etc/os-release /usr/lib/os-release 
-rw-r--r-- 1 root root 386 May 13 19:17 /etc/os-release
-rw-r--r-- 1 root root 386 May 13 16:41 /usr/lib/os-release
root@j-uat-2065573:~# systemctl start esm-cache.service

The esm-service.cache status will show this error:

May 13 19:17:29 j-uat-2065573 python3[3490]: ["2024-05-13T19:17:29.370", "ERROR", "ubuntupro.lib.esm_cache", "main", 17, "Error updating the cache: [Errno 13] Permission denied: '/etc/os-release'", {}]

And here is the corresponding apparmor log:

[Mon May 13 19:17:28 2024] audit: type=1400 audit(1715627849.366:49): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache" name="/etc/os-release" pid=3490 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Expected behavior

It's not clear under which circumstances /etc/os-release might be a file instead of a symlink, but nevertheless reading it should be allowed by the apparmor profile.

Current behavior

The esm-cache service fails to read /etc/os-release, and fails to run/start.

To Reproduce

sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo rm -rf /var/lib/apt/periodic/*
sudo systemctl start esm-cache.service

And:

sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo aa-exec -p ubuntu_pro_esm_cache cat /etc/os-release

System information:

• Ubuntu release: jammy
• Pro Client version: 32~22.04 from jammy-proposed

Additional context Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2065573

[robotparty]

Seeing this in PopOS I think because they changed the source of the symlink:

❯ ll /etc/os-release
lrwxrwxrwx 1 root root 17 Jul 27  2023 /etc/os-release -> pop-os/os-release

[panlinux]

@robotparty I'm not sure what's the support status of Pro on PopOS, but I suppose you can work around this issue by creating/editing /etc/apparmor.d/local/ubuntu_pro_esm_cache with:

/etc/pop-os/os-release r,

and then reloading the profile:

sudo apparmor_parser -r -W -T /etc/apparmor.d/ubuntu_pro_esm_cache

In that way, you won't be changing the profile shipped with the package, and won't get dpkg conf prompts when upstream changes it again.

Does that work?

[trfore]

@panlinux adding /etc/pop-os/os-release r, to /etc/apparmor.d/local/ubuntu_pro_esm_cache did work for me on PopOS 22.04. It required a system reboot, but it worked. Thanks!

Hopefully, it resolves @robotparty issue.