Closed panlinux closed 3 months ago
Ok, had an excellent troubleshoting session with @renanrodrigo and we found the origin of the problem.
Basically, just the presence of /var/lib/dpkg/arch
is enough to trigger the attempted access and subsequent DENIED. Even if the file is empty. But the most common case seems to be systems that have a subarchitecture, like i386, added like dpkg --add-architecture i386
. That will create /var/lib/dpkg/arch
with amd64
and i386
in it.
We don't know yet the consequence of this DENIED error. It looks like it's triggered by apt-cache policy
called by Pro, which ends up calling dpkg --print-foreign-architectures
, which is what attempts to read /var/lib/dpkg/arch
.
I diffed the output of apt-cache policy
with and without the apparmor profile, and even though the run with the apparmor profile had the DENIED log entries, the actual output has no differences:
$ sudo aa-exec -p ubuntu_pro_esm_cache apt-cache policy > denied
$ sudo apt-cache policy > allowed
$ diff -u allowed denied
$
It's the same attached or unattached.
Further troubleshooting shows that also the apt_methods_gpgv child profile is affected in this situation:
[Mon Jun 3 13:39:19 2024] audit: type=1400 audit(1717421960.564:105): apparmor="DENIED" operation="open" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=4879 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
I'll go over the profiles and make sure /var/lib/dpkg
is allowed whenever we are dealing with apt or dpkg.
Confirm that I have this problem on 2 machines running bionic which have empty /var/lib/dpkg/arch
@dominicraf ok that is interesting
The presence of the file was, for us, a guaranteed way to trigger the bug, but of course other situations may cause it.
The fix we applied (and are in process to release) will cover any case by fixing the apparmor profile, but I'm curious - what happens when you run sudo aa-exec -p ubuntu_pro_esm_cache apt-cache policy
?
Confirm that I have this problem on 2 machines running bionic which have empty /var/lib/dpkg/arch
That statement is a bit ambiguous. Do you have a /var/lib/dpkg/arch
file that is empty, or do you not have that file?
Aah yes good catch - the presence of the file itself is enough, content won't matter
Sorry, correction, and apologies for any confusion, my comment was rather careless. I am running jammy (22.04), not bionic, and the file /var/lib/dpkg/arch
exists and has 2 lines as contents:
# cat /var/lib/dpkg/arch
amd64
i386
The following returns nothing (so it seems I actually have no i386 packages):
# dpkg -l | awk '/^ii/ && $4 == "i386" { print }'
And in answer to the q above:
# aa-exec -p ubuntu_pro_esm_cache apt-cache policy
Package files:
100 /var/lib/dpkg/status
release a=now
510 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates/main amd64 Packages
release v=22.04,o=UbuntuESM,a=jammy-infra-updates,n=jammy,l=UbuntuESM,c=main,b=amd64
origin esm.ubuntu.com
510 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security/main amd64 Packages
release v=22.04,o=UbuntuESM,a=jammy-infra-security,n=jammy,l=UbuntuESM,c=main,b=amd64
origin esm.ubuntu.com
500 https://packagecloud.io/ookla/speedtest-cli/ubuntu jammy/main amd64 Packages
release v=1,o=packagecloud.io/ookla/speedtest-cli,a=jammy,n=jammy,l=speedtest-cli,c=main,b=amd64
origin packagecloud.io
500 https://ppa.launchpadcontent.net/maxmind/ppa/ubuntu jammy/main amd64 Packages
release v=22.04,o=LP-PPA-maxmind,a=jammy,n=jammy,l=MaxMind Libraries and Software,c=main,b=amd64
origin ppa.launchpadcontent.net
500 http://ppa.launchpad.net/maxmind/ppa/ubuntu jammy/main amd64 Packages
release v=22.04,o=LP-PPA-maxmind,a=jammy,n=jammy,l=MaxMind Libraries and Software,c=main,b=amd64
origin ppa.launchpad.net
500 https://ppa.launchpadcontent.net/adiscon/v8-stable/ubuntu jammy/main amd64 Packages
release v=22.04,o=LP-PPA-adiscon-v8-stable,a=jammy,n=jammy,l=rsyslog v8-stable,c=main,b=amd64
origin ppa.launchpadcontent.net
500 http://ppa.launchpad.net/adiscon/v8-stable/ubuntu jammy/main amd64 Packages
release v=22.04,o=LP-PPA-adiscon-v8-stable,a=jammy,n=jammy,l=rsyslog v8-stable,c=main,b=amd64
origin ppa.launchpad.net
500 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=multiverse,b=amd64
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=universe,b=amd64
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=restricted,b=amd64
origin security.ubuntu.com
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-security,n=jammy,l=Ubuntu,c=main,b=amd64
origin security.ubuntu.com
100 http://gb.archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-backports,n=jammy,l=Ubuntu,c=universe,b=amd64
origin gb.archive.ubuntu.com
100 http://gb.archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-backports,n=jammy,l=Ubuntu,c=main,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=multiverse,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=universe,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=restricted,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
release v=22.04,o=Ubuntu,a=jammy-updates,n=jammy,l=Ubuntu,c=main,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages
release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=multiverse,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=universe,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages
release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=restricted,b=amd64
origin gb.archive.ubuntu.com
500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
release v=22.04,o=Ubuntu,a=jammy,n=jammy,l=Ubuntu,c=main,b=amd64
origin gb.archive.ubuntu.com
Pinned packages:
#
Until the next release, the fix is offered at https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067810
Just install ubuntu-pro-client (32.3.1~24.04) from Proposed.
Description of the bug
Seen in the logs from https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2067728:
Unsure if that's the cause of the LP bug, though, as the ua logs also show errors contacting the contract server (timeouts).
The journal logs at those times are fine:
Incidentally, looks like apport is trying to report the version of the ubuntu-advantage-tools package, but it should also check ubuntu-pro-client.
Expected behavior
No apparmor denied errors.
Current behavior For some unknown operation, the pro client on that system is triggering dpkg apparmor denied errors. We haven't seen those in our testing.
in uaclient/system.py, we have get_dpkg_arch() which calls
dpkg --print-architecture
, and that works just fine with the current apparmor profile:And strace confirms that that command does not touch /var/lib/dpkg:
To Reproduce Unknown at the moment.
System information:
Additional context
Add any other context about the problem here.