debcrafters-packages team mailing list archive

Thread
Date
[Bug 2123870] Re: apparmor several profiles incompatible with new coreutils scheme

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <2123870@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Oct 2025 13:13:01 -0000
Reply-to: Bug 2123870 <2123870@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hello Chad, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/ubuntu-advantage-
tools/37ubuntu0~18.04 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: ubuntu-advantage-tools (Ubuntu Bionic)
       Status: New => Fix Committed

** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cups-browsed in Ubuntu.
https://bugs.launchpad.net/bugs/2123870

Title:
  apparmor several profiles incompatible with new coreutils scheme

Status in akonadi package in Ubuntu:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in cups package in Ubuntu:
  Fix Released
Status in cups-browsed package in Ubuntu:
  Fix Released
Status in evince package in Ubuntu:
  Fix Released
Status in isc-dhcp package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Fix Released
Status in pollinate package in Ubuntu:
  Fix Released
Status in snapd package in Ubuntu:
  In Progress
Status in surf package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Bionic:
  Fix Committed
Status in ubuntu-advantage-tools source package in Focal:
  Fix Committed
Status in ubuntu-advantage-tools source package in Jammy:
  Fix Committed
Status in ubuntu-advantage-tools source package in Noble:
  Fix Committed
Status in ubuntu-advantage-tools source package in Plucky:
  Fix Committed

Bug description:
  (SRU data for ubuntu-advantage-tools; see the Original Description section below otherwise)
  [ Impact ]

  Starting on Questing, users may see apparmor DENIED operations when
  running Pro Client commands due to the change to rust-coreutils. This
  is already tested and fixed there, but it's being backported to all
  Pro-supported releases per
  https://documentation.ubuntu.com/sru/en/latest/reference/exception-
  UbuntuAdvantageTools-Updates/. There must be no impact to users in
  these releases.

  [ Test plan ]

  As part of the verification of LP #2125453, the whole acceptance test
  suite is executed. Any apparmor DENIED entry is considered a failure
  in the acceptance tests. Tests passing means no DENIED operation for
  all the covered and supported scenarios.

  [ Where problems could occur ]

  The code fixing the bug in -devel could have a negative impact on
  older releases, as we keep the same codebase everywhere. We believe
  this won't imply in a regression because it is loosening the profile
  instead of restricting more. There is the risk of allowing things we
  would not want, but the patch comes directly from the apparmor team,
  via Georgia Garcia (georgia.garcia@xxxxxxxxxxxxx), which makes it more
  reliable.

  [ Original Description ]

  apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
  binaries are incompatible with  gnu-coreutils v. 9.5-1ubuntu2 released
  on May 08, 2025.   Minimally this looks to affect wg-quick profile.
  But there may be other profiles that are affected.

  gnu-coreutils delivers new symlinks for /usr/bin/cat,
  /usr/bin/readlink and 105 other utilities in /usr/bin which point to
  /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real
  target path which then breaks any apparmor profile which referenced
  the format /usr/bin or /usr/sbin utility name.

  The result is many DENIED operations for any symlinked gnu-coreutils
  command.

  This bug appears to affect any apparmor profile in Ubuntu questing
  which happens to set file-based mediation rules for any of the
  symlinked utilities below:

  Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format:
  pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick"
  name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
  audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
  operation="open" class="file" profile="wg-quick"
  name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick"
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  Symlinked utilities due to gnu-coreutils:
  /usr/bin/arch
  /usr/bin/b2sum
  /usr/bin/base32
  /usr/bin/base64
  /usr/bin/basename
  /usr/bin/basenc
  /usr/bin/cat
  /usr/bin/chcon
  /usr/bin/chgrp
  /usr/bin/chmod
  /usr/bin/chown
  /usr/bin/cksum
  /usr/bin/comm
  /usr/bin/cp
  /usr/bin/csplit
  /usr/bin/cut
  /usr/bin/date
  /usr/bin/dd
  /usr/bin/df
  /usr/bin/dir
  /usr/bin/dircolors
  /usr/bin/dirname
  /usr/bin/du
  /usr/bin/echo
  /usr/bin/env
  /usr/bin/expand
  /usr/bin/expr
  /usr/bin/factor
  /usr/bin/false
  /usr/bin/fmt
  /usr/bin/fold
  /usr/bin/groups
  /usr/bin/head
  /usr/bin/hostid
  /usr/bin/id
  /usr/bin/install
  /usr/bin/join
  /usr/bin/link
  /usr/bin/ln
  /usr/bin/logname
  /usr/bin/ls
  /usr/bin/md5sum
  /usr/bin/mkdir
  /usr/bin/mkfifo
  /usr/bin/mknod
  /usr/bin/mktemp
  /usr/bin/mv
  /usr/bin/nice
  /usr/bin/nl
  /usr/bin/nohup
  /usr/bin/nproc
  /usr/bin/numfmt
  /usr/bin/od
  /usr/bin/paste
  /usr/bin/pathchk
  /usr/bin/pinky
  /usr/bin/pr
  /usr/bin/printenv
  /usr/bin/printf
  /usr/bin/ptx
  /usr/bin/pwd
  /usr/bin/readlink
  /usr/bin/realpath
  /usr/bin/rm
  /usr/bin/rmdir
  /usr/bin/runcon
  /usr/bin/seq
  /usr/bin/sha1sum
  /usr/bin/sha224sum
  /usr/bin/sha256sum
  /usr/bin/sha384sum
  /usr/bin/sha512sum
  /usr/bin/shred
  /usr/bin/shuf
  /usr/bin/sleep
  /usr/bin/sort
  /usr/bin/split
  /usr/bin/stat
  /usr/bin/stdbuf
  /usr/bin/stty
  /usr/bin/sum
  /usr/bin/sync
  /usr/bin/tac
  /usr/bin/tail
  /usr/bin/tee
  /usr/bin/test
  /usr/bin/timeout
  /usr/bin/touch
  /usr/bin/tr
  /usr/bin/true
  /usr/bin/truncate
  /usr/bin/tsort
  /usr/bin/tty
  /usr/bin/uname
  /usr/bin/unexpand
  /usr/bin/uniq
  /usr/bin/unlink
  /usr/bin/users
  /usr/bin/vdir
  /usr/bin/wc
  /usr/bin/who
  /usr/bin/whoami
  /usr/bin/yes
  /usr/sbin/chroot

  ### steps to reproduce
  lxc launch ubuntu-daily:questing --vm kvm-q
  lxc exec kvm-q bash
  apt-get update --yes
  apt-get install wireguard-tools --yes
  modprobe wireguard
  su - ubuntu
  umask 077
  wg genkey > wg0.key
  wg pubkey < wg0.key > wg0.pub
  <CTRL-D>
  root@kvm-q:~#  KEY=`cat /home/ubuntu/wg0.key`
  root@kvm-q:~#  PUBKEY=`cat /home/ubuntu/wg0.pub`
  root@kvm-q:~#  cat > /etc/wireguard/wg0.conf <<EOF
  [Interface]
  Address = 192.168.254.1/32
  ListenPort = 51820
  PrivateKey = ${KEY}

  [Peer]
  PublicKey = ${PUBKEY}
  AllowedIPs = 192.168.254.2/32
  EOF

  systemctl restart wg-quick@wg
  echo $?

  journalctl -u wg-quick@wg.service

  ```
  Sep 15 17:49:19 kvm-q systemd[1]: Starting wg-quick@wg.service - WireGuard via wg-quick(8) for wg...
  Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Main process exited, code=exited, status=126/n/a
  Sep 15 17:49:19 kvm-q systemd[1]: wg-quick@wg.service: Failed with result 'exit-code'.
  Sep 15 17:49:19 kvm-q systemd[1]: Failed to start wg-quick@wg.service - WireGuard via wg-quick(8) for wg.
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions