[Bug 1826294] [NEW] os-prober exits prematurely with "logger: socket /dev/log: Protocol wrong type for socket"

Dara Poon 1826294 at bugs.launchpad.net
Thu Apr 25 00:27:11 UTC 2019 

Public bug reported:

Failure occurs on Ubuntu 16.04 with the apparmor-
profiles-2.10.95-0ubuntu2.10 package installed.

Running update-grub will run /usr/bin/os-prober, which spews about a
dozen of the following line to stderr:

    logger: socket /dev/log: Protocol wrong type for socket

… but fails to report the existence of some installed operating systems
as expected.

Furthermore, /var/log/messages contains:

    kernel: audit: type=1400 audit(1556043066.679:11460):
apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup -
disconnected path" error=-13 profile="syslog-ng" name="dev/log"
pid=28566 comm="logger" requested_mask="r" denied_mask="r" fsuid=0
ouid=0


Here is a stripped-down skeleton of the /usr/bin/os-prober script, which demonstrates the problem:

    #!/bin/sh
    set -e -x
    
    newns () {
      [ "$OS_PROBER_NEWNS" ] || exec /usr/lib/os-prober/newns "$0" "$@"
    }
    
    log() {
      logger -t "$(basename "$0")" "$@"
    }
    
    debug() {
      log "debug: $@"
    }
    
    ls -l /dev/log
    debug "Hello world"
    newns "$@"

The expected behavior is that it should write "debug: os-prober-testcase
Hello world" to /var/log/messages twice.  However, it only succeeds in
writing "Hello world" once.  After the script respawns itself with
/usr/lib/os-prober/newns (which is like `unshare -m`), the second
attempt to write to /dev/log fails as described above.

Since the os-prober Bash script runs with the -e flag, any error, even
just a logging error, causes the script to terminate prematurely.
(Arguably, the log() function should call `logger -t "$(basename "$0")"
"$@" || :` so that logging failures aren't fatal.)


The fix, for me, is to edit /etc/apparmor.d/sbin.syslog-ng, and change

    profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain) {\
      …
    }

to

    profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain,attach_disconnected) {
      …
    }

… then run `aa-complain sbin.syslog-ng` and `service syslog-ng restart`,
before running update-grub again.  I assume that similar fixes would be
required for the other logging daemons.

** Affects: apparmor-profiles
     Importance: Undecided
         Status: New

** Affects: os-prober (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: apparmor-profiles
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to os-prober in Ubuntu.
https://bugs.launchpad.net/bugs/1826294

Title:
  os-prober exits prematurely with "logger: socket /dev/log: Protocol
  wrong type for socket"

Status in AppArmor Profiles:
  New
Status in os-prober package in Ubuntu:
  New

Bug description:
  Failure occurs on Ubuntu 16.04 with the apparmor-
  profiles-2.10.95-0ubuntu2.10 package installed.

  Running update-grub will run /usr/bin/os-prober, which spews about a
  dozen of the following line to stderr:

      logger: socket /dev/log: Protocol wrong type for socket

  … but fails to report the existence of some installed operating
  systems as expected.

  Furthermore, /var/log/messages contains:

      kernel: audit: type=1400 audit(1556043066.679:11460):
  apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup -
  disconnected path" error=-13 profile="syslog-ng" name="dev/log"
  pid=28566 comm="logger" requested_mask="r" denied_mask="r" fsuid=0
  ouid=0

  
  Here is a stripped-down skeleton of the /usr/bin/os-prober script, which demonstrates the problem:

      #!/bin/sh
      set -e -x
      
      newns () {
        [ "$OS_PROBER_NEWNS" ] || exec /usr/lib/os-prober/newns "$0" "$@"
      }
      
      log() {
        logger -t "$(basename "$0")" "$@"
      }
      
      debug() {
        log "debug: $@"
      }
      
      ls -l /dev/log
      debug "Hello world"
      newns "$@"

  The expected behavior is that it should write "debug: os-prober-
  testcase Hello world" to /var/log/messages twice.  However, it only
  succeeds in writing "Hello world" once.  After the script respawns
  itself with /usr/lib/os-prober/newns (which is like `unshare -m`), the
  second attempt to write to /dev/log fails as described above.

  Since the os-prober Bash script runs with the -e flag, any error, even
  just a logging error, causes the script to terminate prematurely.
  (Arguably, the log() function should call `logger -t "$(basename
  "$0")" "$@" || :` so that logging failures aren't fatal.)

  
  The fix, for me, is to edit /etc/apparmor.d/sbin.syslog-ng, and change

      profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain) {\
        …
      }

  to

      profile syslog-ng /{usr/,}sbin/syslog-ng flags=(complain,attach_disconnected) {
        …
      }

  … then run `aa-complain sbin.syslog-ng` and `service syslog-ng
  restart`, before running update-grub again.  I assume that similar
  fixes would be required for the other logging daemons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/1826294/+subscriptions

More information about the foundations-bugs mailing list