For snapd: https://github.com/canonical/snapd/pull/16068
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/2123870 Title: apparmor several profiles incompatible with new coreutils scheme Status in akonadi package in Ubuntu: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in cups package in Ubuntu: Fix Released Status in cups-browsed package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in isc-dhcp package in Ubuntu: Confirmed Status in libvirt package in Ubuntu: Fix Released Status in msmtp package in Ubuntu: New Status in papers package in Ubuntu: New Status in percona-xtrabackup package in Ubuntu: New Status in pollinate package in Ubuntu: Fix Released Status in snapd package in Ubuntu: In Progress Status in surf package in Ubuntu: Fix Released Status in ubuntu-advantage-tools package in Ubuntu: Fix Released Status in ubuntu-advantage-tools source package in Xenial: Fix Committed Status in ubuntu-advantage-tools source package in Bionic: Fix Committed Status in ubuntu-advantage-tools source package in Focal: Fix Committed Status in ubuntu-advantage-tools source package in Jammy: Fix Committed Status in ubuntu-advantage-tools source package in Noble: Fix Committed Status in ubuntu-advantage-tools source package in Plucky: Fix Committed Bug description: (SRU data for ubuntu-advantage-tools; see the Original Description section below otherwise) [ Impact ] Starting on Questing, users may see apparmor DENIED operations when running Pro Client commands due to the change to rust-coreutils. This is already tested and fixed there, but it's being backported to all Pro-supported releases per https://documentation.ubuntu.com/sru/en/latest/reference/exception- UbuntuAdvantageTools-Updates/. There must be no impact to users in these releases. [ Test plan ] As part of the verification of LP #2125453, the whole acceptance test suite is executed. Any apparmor DENIED entry is considered a failure in the acceptance tests. Tests passing means no DENIED operation for all the covered and supported scenarios. [ Where problems could occur ] The code fixing the bug in -devel could have a negative impact on older releases, as we keep the same codebase everywhere. We believe this won't imply in a regression because it is loosening the profile instead of restricting more. There is the risk of allowing things we would not want, but the patch comes directly from the apparmor team, via Georgia Garcia ([email protected]), which makes it more reliable. [ Original Description ] apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released on May 08, 2025. Minimally this looks to affect wg-quick profile. But there may be other profiles that are affected. gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor resolves the symlink to the real target path which then breaks any apparmor profile which referenced the format /usr/bin or /usr/sbin utility name. The result is many DENIED operations for any symlinked gnu-coreutils command. This bug appears to affect any apparmor profile in Ubuntu questing which happens to set file-based mediation rules for any of the symlinked utilities below: Any profile which has specific file rules related to these utilities will likely have DENIED messages in Ubuntu questing of the format: pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit: type=1400 audit(1757951720.114:447): apparmor="DENIED" operation="open" class="file" profile="wg-quick" name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Symlinked utilities due to gnu-coreutils: /usr/bin/arch /usr/bin/b2sum /usr/bin/base32 /usr/bin/base64 /usr/bin/basename /usr/bin/basenc /usr/bin/cat /usr/bin/chcon /usr/bin/chgrp /usr/bin/chmod /usr/bin/chown /usr/bin/cksum /usr/bin/comm /usr/bin/cp /usr/bin/csplit /usr/bin/cut /usr/bin/date /usr/bin/dd /usr/bin/df /usr/bin/dir /usr/bin/dircolors /usr/bin/dirname /usr/bin/du /usr/bin/echo /usr/bin/env /usr/bin/expand /usr/bin/expr /usr/bin/factor /usr/bin/false /usr/bin/fmt /usr/bin/fold /usr/bin/groups /usr/bin/head /usr/bin/hostid /usr/bin/id /usr/bin/install /usr/bin/join /usr/bin/link /usr/bin/ln /usr/bin/logname /usr/bin/ls /usr/bin/md5sum /usr/bin/mkdir /usr/bin/mkfifo /usr/bin/mknod /usr/bin/mktemp /usr/bin/mv /usr/bin/nice /usr/bin/nl /usr/bin/nohup /usr/bin/nproc /usr/bin/numfmt /usr/bin/od /usr/bin/paste /usr/bin/pathchk /usr/bin/pinky /usr/bin/pr /usr/bin/printenv /usr/bin/printf /usr/bin/ptx /usr/bin/pwd /usr/bin/readlink /usr/bin/realpath /usr/bin/rm /usr/bin/rmdir /usr/bin/runcon /usr/bin/seq /usr/bin/sha1sum /usr/bin/sha224sum /usr/bin/sha256sum /usr/bin/sha384sum /usr/bin/sha512sum /usr/bin/shred /usr/bin/shuf /usr/bin/sleep /usr/bin/sort /usr/bin/split /usr/bin/stat /usr/bin/stdbuf /usr/bin/stty /usr/bin/sum /usr/bin/sync /usr/bin/tac /usr/bin/tail /usr/bin/tee /usr/bin/test /usr/bin/timeout /usr/bin/touch /usr/bin/tr /usr/bin/true /usr/bin/truncate /usr/bin/tsort /usr/bin/tty /usr/bin/uname /usr/bin/unexpand /usr/bin/uniq /usr/bin/unlink /usr/bin/users /usr/bin/vdir /usr/bin/wc /usr/bin/who /usr/bin/whoami /usr/bin/yes /usr/sbin/chroot ### steps to reproduce lxc launch ubuntu-daily:questing --vm kvm-q lxc exec kvm-q bash apt-get update --yes apt-get install wireguard-tools --yes modprobe wireguard su - ubuntu umask 077 wg genkey > wg0.key wg pubkey < wg0.key > wg0.pub <CTRL-D> root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key` root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub` root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF [Interface] Address = 192.168.254.1/32 ListenPort = 51820 PrivateKey = ${KEY} [Peer] PublicKey = ${PUBKEY} AllowedIPs = 192.168.254.2/32 EOF systemctl restart wg-quick@wg echo $? journalctl -u [email protected] ``` Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg... Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11: /usr/bin/readlink: Permission denied Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited, code=exited, status=126/n/a Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result 'exit-code'. Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg. ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
