Ubuntu
ubuntu-advantage-tools package

  1. Bug #2057937
  2. Comment #17

Comment 17 for bug 2057937

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Xenial verification

a) Reproducing the problem, and confirming the fix

Starting with 31.2:
$ dpkg -l ubuntu-advantage-tools | grep ubuntu-advantage-tools
ii ubuntu-advantage-tools 31.2~16.04 all transitional dummy package for ubuntu-pro-client

Removing apparmor:
$ sudo apt remove apparmor -y
(...)
The following packages will be REMOVED:
  apparmor liblxc1 lxc-common lxd snapd ubuntu-core-launcher
(...)
Removing apparmor (2.10.95-0ubuntu2.12) ...
(...)

Rebooting...

Logging back in, checking apt-news.service to see it fails to start due to apparmor:

$ sudo systemctl start apt-news.service
Job for apt-news.service failed because the control process exited with error code. See "systemctl status apt-news.service" and "journalctl -xe" for details.

$ systemctl status apt-news.service
● apt-news.service - Update APT News
   Loaded: loaded (/lib/systemd/system/apt-news.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2024-04-14 15:41:47 UTC; 10s ago
  Process: 1486 ExecStart=/usr/bin/python3 /usr/lib/ubuntu-advantage/apt_news.py (code=exited, status=231/APPARMOR)
 Main PID: 1486 (code=exited, status=231/APPARMOR)

Installing ubuntu-advantage-tools from proposed:
$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
  Installed: 31.2.2~16.04
  Candidate: 31.2.2~16.04
  Version table:
 *** 31.2.2~16.04 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     31.2~16.04 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

$ pro version
31.2.2~16.04

Now the service starts:
$ sudo systemctl start apt-news.service
$

$ sudo systemctl status apt-news.service
● apt-news.service - Update APT News
   Loaded: loaded (/lib/systemd/system/apt-news.service; static; vendor preset: enabled)
   Active: inactive (dead)

(...)
Apr 14 15:43:40 x-vm systemd[1]: Starting Update APT News...
Apr 14 15:43:40 x-vm systemd[1]: Started Update APT News.

b) Confirming that apparmor, when available, is being applied

Continuing from test (a), we already have the proposed package installed.

Re-installing apparmor:
$ sudo apt install apparmor -y
(...)
Setting up apparmor (2.10.95-0ubuntu2.12) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults

Rebooting

Confirming profile is loaded and enforced:
$ sudo grep ubuntu_pro_apt_news /sys/kernel/security/apparmor/profiles
ubuntu_pro_apt_news (enforce)

Starting apt-news, it does not fail:
$ sudo systemctl start apt-news.service ; echo $?
0

Hacking the service unit file to force the service to stay running so we can inspect it:

$ sudo systemctl start apt-news.service
(it's sleeping)

Checking process:
# ps auxwZ|grep time\\.sleep
ubuntu_pro_apt_news (enforce) root 1749 0.0 0.8 35296 8716 ? Ss 15:49 0:00 /usr/bin/python3 -c import time; time.sleep(500)

We can see it's confined with ubuntu_pro_apt_news in enforce mode.

Xenial verification succeeded.