esm-cache.service denied access to /etc/os-release by apparmor
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) | Status tracked in Oracular | |||||
Xenial |
Fix Released
|
Undecided
|
Unassigned | |||
Bionic |
Fix Released
|
Undecided
|
Unassigned | |||
Focal |
Fix Released
|
Undecided
|
Unassigned | |||
Jammy |
Fix Released
|
Undecided
|
Unassigned | |||
Mantic |
Fix Released
|
Undecided
|
Unassigned | |||
Noble |
Fix Released
|
Undecided
|
Unassigned | |||
Oracular |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
[ Impact ]
On systems where /etc/os-release is an actual file instead of a symlink to /usr/lib/
This results in the esm-cache.service failing to run:
May 13 19:17:29 j-uat-2065573 python3[3490]: ["2024-
[ Test Plan ]
Keep sudo dmesg -wT | grep ubuntu_pro running in a terminal (in the same VM, if testing in a VM, or in the host, if testing with a LXD container), and then run this on the system being tested (LXD or VM):
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo rm -rf /var/lib/
sudo systemctl start esm-cache.service
there should be no apparmor DENIED messages for an access to /etc/os-release in the dmesg output. Additionally, /var/log/
Additionally, for a more surgical test, also run these:
sudo rm /etc/os-release
sudo cp /usr/lib/os-release /etc
sudo aa-exec -p ubuntu_
On a system with the fixed apparmor profile, you should see the contents of /etc/os-release. With the bug, the last command above will return a permission denied error and dmesg will show a corresponding apparmor DENIED error.
[ Where problems could occur ]
The fix is to include a rule to allow access to /etc/os-release, and /usr/lib/os-release too (even though that was covered already via other apparmor abstractions being included).
We don't think there is an additional security risk by this new allow rule, and in fact, it should probably be covered by some base abstraction in the future.
The risk being introduced by this fix is a syntax error on the profile, but that is covered by the package build which runs a syntax check.
The other riks is that this rule could only be correct for certain ubuntu releases, and not older ones like xenial, but this is a very simple file access rule, which is something very old apparmor profiles understand already.
[ Other Info ]
This was found by the CI system of a contributor who happened to be including proposed packages in their testing, and that for some reason does not have /etc/os-release as a symlink. We are unsure why /etc/os-release is not a symlink, but nevertheless it's a valid scenario, and should be fixed in the apparmor profile.
[ Original Description ]
We just caught a regression in our CI: https:/
An unexpected apparmor denial is logged in the journal:
May 13 08:49:01 ubuntu systemd[1]: Starting Update APT News...
May 13 08:49:01 ubuntu systemd[1]: Starting Update the local ESM caches...
May 13 08:49:02 ubuntu PackageKit[2370]: refresh-cache transaction /17_aebebede from uid 0 finished with success after 384ms
May 13 08:49:02 ubuntu audit[2667]: AVC apparmor="DENIED" operation="open" profile=
May 13 08:49:02 ubuntu kernel: kauditd_printk_skb: 59 callbacks suppressed
May 13 08:49:02 ubuntu kernel: audit: type=1400 audit(171559014
May 13 08:49:02 ubuntu python3[2667]: ["2024-
May 13 08:49:02 ubuntu systemd[1]: esm-cache.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update the local ESM caches.
May 13 08:49:02 ubuntu systemd[1]: apt-news.service: Deactivated successfully.
May 13 08:49:02 ubuntu systemd[1]: Finished Update APT News.
The relevant change since the last (working) state is that these packages got updated:
ubuntu-
ubuntu-pro-client (31.2.3~22.04 -> 32~22.04)
ubuntu-
Andreas Hasenack (ahasenack) wrote : | #1 |
Andreas Hasenack (ahasenack) wrote : | #2 |
Ok, I think we got it. In your system, /etc/os-release must be a file, and not a symlink as it is in our ubuntu systems:
$ ll /etc/os-release
lrwxrwxrwx 1 root root 21 jan 2 14:25 /etc/os-release -> ../usr/
$ ll /usr/lib/os-release
-rw-r--r-- 1 root root 393 jan 2 14:25 /usr/lib/os-release
Our profiles have a rule to allow /usr/lib/os-release (via globbing), but not /etc/os-release specifically.
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Andreas Hasenack (ahasenack) |
importance: | Undecided → High |
Andreas Hasenack (ahasenack) wrote : | #3 |
Upstream issue filed: https:/
description: | updated |
Andreas Hasenack (ahasenack) wrote : Please test proposed package | #4 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Noble): | |
status: | New → Fix Committed |
tags: | added: verification-needed verification-needed-noble |
Changed in ubuntu-advantage-tools (Ubuntu Mantic): | |
status: | New → Fix Committed |
tags: | added: verification-needed-mantic |
Andreas Hasenack (ahasenack) wrote : | #5 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
status: | New → Fix Committed |
tags: | added: verification-needed-jammy |
Andreas Hasenack (ahasenack) wrote : | #6 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
status: | New → Fix Committed |
tags: | added: verification-needed-focal |
Andreas Hasenack (ahasenack) wrote : | #7 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
status: | New → Fix Committed |
tags: | added: verification-needed-bionic |
Andreas Hasenack (ahasenack) wrote : | #8 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | New → Fix Committed |
tags: | added: verification-needed-xenial |
Andreas Hasenack (ahasenack) wrote : | #9 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.1~24.04) | #10 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
wsl-pro-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.1~20.04) | #11 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.1~16.04) | #12 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
-- Lucas Moura <email address hidden> Tue, 14 May 2024 11:22:35 +0200
Changed in ubuntu-advantage-tools (Ubuntu Oracular): | |
status: | Confirmed → Fix Released |
Andreas Hasenack (ahasenack) wrote : Please test proposed package | #14 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #15 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #16 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #17 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #18 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Andreas Hasenack (ahasenack) wrote : | #19 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.1~16.04) | #20 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.1~24.04) | #21 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~24.04) | #22 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
ubuntu-
update-motd/unknown (s390x)
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~16.04) | #23 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~23.10) | #24 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
update-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~22.04) | #25 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~20.04) | #26 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.2~18.04) | #27 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
ubuntu-
update-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Allison Karlitskaya (desrt) wrote : | #28 |
hi,
I can confirm that as of 32.1~22.04 (already released a week ago) we no longer experience the original issue that our CI caught.
Grant Orndorff (orndorffgrant) wrote : | #29 |
- verify-2065573.tar.gz Edit (5.1 KiB, application/x-tar)
Thanks Allison!
For the rest of the SRU verification: I've performed the test steps against 32.2 currently in -proposed, for all Ubuntu releases. The test passed in all cases. Logs attached. Marking verification done.
tags: |
added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-mantic verification-done-noble verification-done-xenial removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial |
Andreas Hasenack (ahasenack) wrote : Please test proposed package | #30 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed verification-needed-noble removed: verification-done verification-done-noble |
tags: |
added: verification-needed-mantic removed: verification-done-mantic |
Andreas Hasenack (ahasenack) wrote : | #31 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed-jammy removed: verification-done-jammy |
Andreas Hasenack (ahasenack) wrote : | #32 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed-focal removed: verification-done-focal |
Andreas Hasenack (ahasenack) wrote : | #33 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed-bionic removed: verification-done-bionic |
Andreas Hasenack (ahasenack) wrote : | #34 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
tags: |
added: verification-needed-xenial removed: verification-done-xenial |
Andreas Hasenack (ahasenack) wrote : | #35 |
Hello Allison, or anyone else affected,
Accepted ubuntu-
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.3~16.04) | #36 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
ubuntu-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (ubuntu-advantage-tools/32.3~24.04) | #37 |
All autopkgtests for the newly accepted ubuntu-
The following regressions have been reported in tests triggered by the package:
software-
wsl-pro-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Renan Rodrigo (renanrodrigo) wrote : | #38 |
I'm re-marking this as verification-done for all releases, as it was verified on 32.2 and the new 32.3 version does not affect this.
Further information in: https:/
tags: |
added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-mantic verification-done-noble verification-done-xenial removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-mantic verification-needed-noble verification-needed-xenial |
Andreas Hasenack (ahasenack) wrote : | #39 |
Doing an early release of this according to point 7 in the plan from https:/
autopkgtests are clear now.
Launchpad Janitor (janitor) wrote : | #40 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to noble (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:48 -0300
Changed in ubuntu-advantage-tools (Ubuntu Noble): | |
status: | Fix Committed → Fix Released |
Andreas Hasenack (ahasenack) wrote : Update Released | #41 |
The verification of the Stable Release Update for ubuntu-
Launchpad Janitor (janitor) wrote : | #42 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to mantic (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:45 -0300
Changed in ubuntu-advantage-tools (Ubuntu Mantic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #43 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to jammy (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:42 -0300
Changed in ubuntu-advantage-tools (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #44 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to focal (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:39 -0300
Changed in ubuntu-advantage-tools (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #45 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to bionic (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:36 -0300
Changed in ubuntu-advantage-tools (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #46 |
This bug was fixed in the package ubuntu-
---------------
ubuntu-
* Backport 32.3 to xenial (LP: #2060732)
ubuntu-
* d/apparmor: adjust the profiles to account for usr-merge consequences
(LP: #2067319)
ubuntu-
* d/apparmor: adjust rules for violations found during testing (LP: #2066929)
ubuntu-
* d/apparmor: allow access for /etc/os-release on all supported
profiles (LP: #2065573)
* apport: get path for timer job status from the correct place (LP: #2065616)
ubuntu-
* d/postinst: ensure migrations happen in correct package postinst (GH: #2982)
* d/apparmor: introduce new ubuntu_
* New upstream release 32 (LP: #2060732)
- api:
+ u.pro.attach.
with token
+ u.pro.services.
+ u.pro.services.
+ u.pro.detach.v1: add support for detach operation
+ u.pro.status.
+ u.pro.services.
+ u.pro.security.
if needed
- apt_news: add architectures and packages selectors filters for apt news
- cli:
+ improved cli/log message for unexpected errors (GH: #2600)
+ properly handle setting empty config values (GH: #2925)
- cloud-init: support ubuntu_pro user-data
- collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)
- config: create public and private config (GH: #2809)
- entitlements:
+ update logic that checks if a service is enabled (LP: #2031192)
- fips: warn/confirm with user if enabling fips downgrades the kernel
- fix: warn users if ESM cache cannot be updated (GH: #2841)
- logging:
+ use journald logging for all systemd services
+ add redundancy to secret redaction
- messaging:
+ add consistent messaging for end of contract state
+ make explicit that unattached enable/disable is a noop (GH: #2487)
+ make explicit that disabling a disabled service is a noop
+ make explicit that enabling an enabled service is a noop
- notices: filter unreadable notices when listing notices (GH: #2898)
-- Renan Rodrigo <email address hidden> Tue, 28 May 2024 15:15:32 -0300
Changed in ubuntu-advantage-tools (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
Hi, thanks for catching this, and for testing the proposed version of ubuntu- advantage- tools (v32).
We are still a bit baffled by how this escaped our CI, and to be honest, haven't yet been able to reproduce the apparmor DENIED message. Looking at the apparmor profiles involved, we don't see a rule allowing /etc/os-release to be read, Yet it doesn't happen in a jammy test installation, and so far we can't explain why.
Looking at https:/ /cockpit- logs.us- east-1. linodeobjects. com/image- refresh- ubuntu- 2204-6e3c7232- 20240512- 223711/ log.html, looks like you have jammy-proposed enabled at large, and grabbing everything from there, if I understood that correctly. I'll try to reproduce it that way.