Public bug reported:
apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released
on May 08, 2025. Minimally this looks to affect wg-quick profile. But
there may be other profiles that are affected.
gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and 105
other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor
resolves the symlink to the real target path which then breaks any apparmor
profile which referenced the format /usr/bin or /usr/sbin utility name.
The result is many DENIED operations for any symlinked gnu-coreutils command.
This bug appears to affect any apparmor profile in Ubuntu questing which
happens to set file-based mediation rules for any of the symlinked utilities
below:
Any profile which has specific file rules related to these utilities will
likely have DENIED messages in Ubuntu questing of the format:
pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open"
class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480
comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit:
type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open"
class="file" profile="wg-quick"
name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
operation="open" class="file" profile="wg-quick"
name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Symlinked utilities due to gnu-coreutils:
/usr/bin/arch
/usr/bin/b2sum
/usr/bin/base32
/usr/bin/base64
/usr/bin/basename
/usr/bin/basenc
/usr/bin/cat
/usr/bin/chcon
/usr/bin/chgrp
/usr/bin/chmod
/usr/bin/chown
/usr/bin/cksum
/usr/bin/comm
/usr/bin/cp
/usr/bin/csplit
/usr/bin/cut
/usr/bin/date
/usr/bin/dd
/usr/bin/df
/usr/bin/dir
/usr/bin/dircolors
/usr/bin/dirname
/usr/bin/du
/usr/bin/echo
/usr/bin/env
/usr/bin/expand
/usr/bin/expr
/usr/bin/factor
/usr/bin/false
/usr/bin/fmt
/usr/bin/fold
/usr/bin/groups
/usr/bin/head
/usr/bin/hostid
/usr/bin/id
/usr/bin/install
/usr/bin/join
/usr/bin/link
/usr/bin/ln
/usr/bin/logname
/usr/bin/ls
/usr/bin/md5sum
/usr/bin/mkdir
/usr/bin/mkfifo
/usr/bin/mknod
/usr/bin/mktemp
/usr/bin/mv
/usr/bin/nice
/usr/bin/nl
/usr/bin/nohup
/usr/bin/nproc
/usr/bin/numfmt
/usr/bin/od
/usr/bin/paste
/usr/bin/pathchk
/usr/bin/pinky
/usr/bin/pr
/usr/bin/printenv
/usr/bin/printf
/usr/bin/ptx
/usr/bin/pwd
/usr/bin/readlink
/usr/bin/realpath
/usr/bin/rm
/usr/bin/rmdir
/usr/bin/runcon
/usr/bin/seq
/usr/bin/sha1sum
/usr/bin/sha224sum
/usr/bin/sha256sum
/usr/bin/sha384sum
/usr/bin/sha512sum
/usr/bin/shred
/usr/bin/shuf
/usr/bin/sleep
/usr/bin/sort
/usr/bin/split
/usr/bin/stat
/usr/bin/stdbuf
/usr/bin/stty
/usr/bin/sum
/usr/bin/sync
/usr/bin/tac
/usr/bin/tail
/usr/bin/tee
/usr/bin/test
/usr/bin/timeout
/usr/bin/touch
/usr/bin/tr
/usr/bin/true
/usr/bin/truncate
/usr/bin/tsort
/usr/bin/tty
/usr/bin/uname
/usr/bin/unexpand
/usr/bin/uniq
/usr/bin/unlink
/usr/bin/users
/usr/bin/vdir
/usr/bin/wc
/usr/bin/who
/usr/bin/whoami
/usr/bin/yes
/usr/sbin/chroot
### steps to reproduce
lxc launch ubuntu-daily:questing --vm kvm-q
lxc exec kvm-q bash
apt-get update --yes
apt-get install wireguard-tools --yes
modprobe wireguard
su - ubuntu
umask 077
wg genkey > wg0.key
wg pubkey < wg0.key > wg0.pub
<CTRL-D>
root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key`
root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub`
root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 192.168.254.1/32
ListenPort = 51820
PrivateKey = ${KEY}
[Peer]
PublicKey = ${PUBKEY}
AllowedIPs = 192.168.254.2/32
EOF
systemctl restart wg-quick@wg
echo $?
journalctl -u [email protected]
```
Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard via
wg-quick(8) for wg...
Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11:
/usr/bin/readlink: Permission denied
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited,
code=exited, status=126/n/a
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result
'exit-code'.
Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] -
WireGuard via wg-quick(8) for wg.
```
** Affects: apparmor (Ubuntu)
Importance: High
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2123870
Title:
apparmor wg-quick profile incompatible with gnu-coreutils symlinked
binaries
Status in apparmor package in Ubuntu:
New
Bug description:
apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released
on May 08, 2025. Minimally this looks to affect wg-quick profile.
But there may be other profiles that are affected.
gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and
105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor
resolves the symlink to the real target path which then breaks any apparmor
profile which referenced the format /usr/bin or /usr/sbin utility name.
The result is many DENIED operations for any symlinked gnu-coreutils command.
This bug appears to affect any apparmor profile in Ubuntu questing which
happens to set file-based mediation rules for any of the symlinked utilities
below:
Any profile which has specific file rules related to these utilities will
likely have DENIED messages in Ubuntu questing of the format:
pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open"
class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480
comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit:
type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open"
class="file" profile="wg-quick"
name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
operation="open" class="file" profile="wg-quick"
name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Symlinked utilities due to gnu-coreutils:
/usr/bin/arch
/usr/bin/b2sum
/usr/bin/base32
/usr/bin/base64
/usr/bin/basename
/usr/bin/basenc
/usr/bin/cat
/usr/bin/chcon
/usr/bin/chgrp
/usr/bin/chmod
/usr/bin/chown
/usr/bin/cksum
/usr/bin/comm
/usr/bin/cp
/usr/bin/csplit
/usr/bin/cut
/usr/bin/date
/usr/bin/dd
/usr/bin/df
/usr/bin/dir
/usr/bin/dircolors
/usr/bin/dirname
/usr/bin/du
/usr/bin/echo
/usr/bin/env
/usr/bin/expand
/usr/bin/expr
/usr/bin/factor
/usr/bin/false
/usr/bin/fmt
/usr/bin/fold
/usr/bin/groups
/usr/bin/head
/usr/bin/hostid
/usr/bin/id
/usr/bin/install
/usr/bin/join
/usr/bin/link
/usr/bin/ln
/usr/bin/logname
/usr/bin/ls
/usr/bin/md5sum
/usr/bin/mkdir
/usr/bin/mkfifo
/usr/bin/mknod
/usr/bin/mktemp
/usr/bin/mv
/usr/bin/nice
/usr/bin/nl
/usr/bin/nohup
/usr/bin/nproc
/usr/bin/numfmt
/usr/bin/od
/usr/bin/paste
/usr/bin/pathchk
/usr/bin/pinky
/usr/bin/pr
/usr/bin/printenv
/usr/bin/printf
/usr/bin/ptx
/usr/bin/pwd
/usr/bin/readlink
/usr/bin/realpath
/usr/bin/rm
/usr/bin/rmdir
/usr/bin/runcon
/usr/bin/seq
/usr/bin/sha1sum
/usr/bin/sha224sum
/usr/bin/sha256sum
/usr/bin/sha384sum
/usr/bin/sha512sum
/usr/bin/shred
/usr/bin/shuf
/usr/bin/sleep
/usr/bin/sort
/usr/bin/split
/usr/bin/stat
/usr/bin/stdbuf
/usr/bin/stty
/usr/bin/sum
/usr/bin/sync
/usr/bin/tac
/usr/bin/tail
/usr/bin/tee
/usr/bin/test
/usr/bin/timeout
/usr/bin/touch
/usr/bin/tr
/usr/bin/true
/usr/bin/truncate
/usr/bin/tsort
/usr/bin/tty
/usr/bin/uname
/usr/bin/unexpand
/usr/bin/uniq
/usr/bin/unlink
/usr/bin/users
/usr/bin/vdir
/usr/bin/wc
/usr/bin/who
/usr/bin/whoami
/usr/bin/yes
/usr/sbin/chroot
### steps to reproduce
lxc launch ubuntu-daily:questing --vm kvm-q
lxc exec kvm-q bash
apt-get update --yes
apt-get install wireguard-tools --yes
modprobe wireguard
su - ubuntu
umask 077
wg genkey > wg0.key
wg pubkey < wg0.key > wg0.pub
<CTRL-D>
root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key`
root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub`
root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 192.168.254.1/32
ListenPort = 51820
PrivateKey = ${KEY}
[Peer]
PublicKey = ${PUBKEY}
AllowedIPs = 192.168.254.2/32
EOF
systemctl restart wg-quick@wg
echo $?
journalctl -u [email protected]
```
Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard
via wg-quick(8) for wg...
Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11:
/usr/bin/readlink: Permission denied
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited,
code=exited, status=126/n/a
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result
'exit-code'.
Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] -
WireGuard via wg-quick(8) for wg.
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2123870/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
