search

canonical / ubuntu-pro-client

Ubuntu Pro Client for offerings from Canonical
https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/
GNU General Public License v3.0
51 stars 69 forks source link

Bug: apparmor="DENIED" with trying to access /var/lib/dpkg/arch #3148

Closed hloeung closed 3 weeks ago

hloeung commented 3 weeks ago

Description of the bug

/usr/lib/ubuntu-advantage/apt_news.py called from an apt-get update is causing various apparmor="DENIED" trying to access /var/lib/dpkg/arch.

Expected behavior

No apparmor="DENIED" messages.

Current behavior

After an apt-get update run, we see:

[Sat Jun 22 02:16:00 2024] audit: type=1400 audit(1717969026.210:1338): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch" pid=43761 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Sat Jun 22 02:16:00 2024] audit: type=1400 audit(1717969026.216:1339): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch" pid=43768 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Sat Jun 22 02:16:00 2024] audit: type=1400 audit(1717969026.221:1340): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch" pid=43773 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Sat Jun 22 02:16:00 2024] audit: type=1400 audit(1717969026.227:1341): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch" pid=43780 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Sat Jun 22 02:16:00 2024] audit: type=1400 audit(1717969026.241:1342): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//dpkg" name="/var/lib/dpkg/arch" pid=43792 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Sat Jun 22 02:16:01 2024] audit: type=1400 audit(1717969027.502:1343): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=44232 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
[Sat Jun 22 02:16:01 2024] audit: type=1400 audit(1717969027.515:1344): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=44234 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
[Sat Jun 22 02:16:01 2024] audit: type=1400 audit(1717969027.526:1345): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=44236 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
[Sat Jun 22 02:16:01 2024] audit: type=1400 audit(1717969027.538:1346): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=44238 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
[Sat Jun 22 02:16:01 2024] audit: type=1400 audit(1717969027.550:1347): apparmor="DENIED" operation="open" class="file" profile="ubuntu_pro_esm_cache//apt_methods_gpgv" name="/var/lib/dpkg/arch" pid=44241 comm="dpkg" requested_mask="r" denied_mask="r" fsuid=105 ouid=0

To Reproduce

  1. In another terminal, run dmesg -T --follow-new.
  2. In another terminal, run sudo apt-get update.
  3. Monitor for apparmor="DENIED" messages.

System information:

Additional context

renanrodrigo commented 3 weeks ago

Hello, @hloeung! I am closing this as a duplicate of #3137

  1. Your steps may not reproduce this in all machines - you need an attached multiarch system without one of the esm-services enabled (otherwise the esm-cache.service never calls apt-cache policy); this is why our testing didn't catch it, we didn't have that scenario in the suite... now we do :D

  2. A hotfix for this bug is being released and is expected to land this week