"Expanded Security Maintenance for Applications" shown every time I log on!

Keith keithw at caramail.com
Sun Mar 12 19:11:03 UTC 2023 

On 3/12/23 12:32 PM, Bo Berglund wrote:
> On Sat, 11 Mar 2023 00:23:18 +0100, Bo Berglund <bo.berglund at gmail.com> wrote:
> 
>> Thanks,
>> I did sign up and attached my server to the Pro system.
>> I have to check the consequences tomorrow.
> 
> Now I continued to another of my HP workstation laptops running the same:
>   Ubuntu 20.04.5 LTS
> The device is an HP Elitebook workstation 8440w
> 
> I went through the process that worked fine on the other devices but now I am
> getting this:
> 
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc
> 
> So I figured I could reboot to clean up stuff since I forgot to reboot after the
> command:
>    apt update && apt full-upgrade -y
> 
> After logging on again I checked the system:
> 
> $ sudo pro status
> SERVICE          ENTITLED  STATUS    DESCRIPTION
> esm-apps         yes       enabled   Expanded Security Maintenance for
> Applications
> esm-infra        yes       enabled   Expanded Security Maintenance for
> Infrastructure
> fips             yes       disabled  NIST-certified core packages
> fips-updates     yes       disabled  NIST-certified core packages with priority
> security updates
> livepatch        yes       disabled  Canonical Livepatch service
> usg              yes       disabled  Security compliance and audit tools
> 
> Enable services with: pro enable <service>
> 
> Next I tried:
> $ sudo pro enable livepatch
> 
> One moment, checking your subscription first
> Installing canonical-livepatch snap
> Stderr: error: cannot perform the following tasks:
> - Setup snap "canonical-livepatch" (164) security profiles (cannot setup
> profiles for snap "canonical-livepatch": cannot load apparmor profiles: exit
> status 1
> apparmor_parser output:
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatch in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatchd
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.configure in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.connect-plug-etc-update-motd-d
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.disconnect-plug-etc-update-motd-d
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> )
> 
> Then a number of similar messages, and then the last one:
> 
> Unable to install Livepatch client: Failed running command '/usr/bin/snap
> install canonical-livepatch' [exit(1)]. Message: error: cannot perform the
> following tasks:
> - Setup snap "canonical-livepatch" (164) security profiles (cannot setup
> profiles for snap "canonical-livepatch": cannot load apparmor profiles: exit
> status 1
> apparmor_parser output:
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatchd
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap-update-ns.canonical-livepatch in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.canonical-livepatch in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.configure in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.connect-plug-etc-update-motd-d
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.disconnect-plug-etc-update-motd-d
> in /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> AppArmor parser error for
> /var/lib/snapd/apparmor/profiles/snap.canonical-livepatch.hook.remove in
> /etc/apparmor.d/tunables/global at line 17: Could not open 'tunables/proc'
> )
> 
> 
> Is this really supposed to happen????
> 
> And what is apparmor?
> 
> This is what I see when checking:
> 
> $ apt policy apparmor
> apparmor:
>    Installed: 2.13.3-7ubuntu5.1
>    Candidate: 2.13.3-7ubuntu5.1
>    Version table:
>   *** 2.13.3-7ubuntu5.1 500
>          500 http://se.archive.ubuntu.com/ubuntu focal-updates/main amd64
> Packages
>          100 /var/lib/dpkg/status
>       2.13.3-7ubuntu5 500
>          500 http://se.archive.ubuntu.com/ubuntu focal/main amd64 Packages
> 
> What is the problem?
> 

What does the following show?

$ ls -l /etc/apparmor.d/tunables

Do you have a /etc/apparmor.d/tunables/proc file and is it readable? 
It's just an ASCII text file and like all the other files in that 
directory should have 644 perms. If that file is not there or is 
corrupted then you should reinstall the apparmor package.

$ sudo apt install --reinstall apparmor

After that, I would disable the livepatch service, then remove the 
livepatch snap.

$ sudo snap remove --purge canonical-livepatch

If the snap removes cleanly, then try re-enabling the livepatch service 
with the pro command and it should download and install the snap again, 
hopefully this time without the apparmor errors.

If the problem is fixed by reinstalling the apparmor package, then you 
may want check to see if there are any other missing files, file 
corruption, or not fully installed packages on your systems.

Apart from fsck which should be run at boot time to check the integrity 
of the filesystem, the following commands will check the integrity of 
the package database:

$ sudo apt-get check (updates package cache and checks for broken 
dependencies)

$ sudo dpkg -C (checks database consistency and looks for packages that 
may not be fully or correctly installed and suggests what to do to fix 
the problem)

$ sudo dpkg -V (performs md5sum verification on files installed from 
packages provided that any installed package comes with a file 
containing the md5sums of its file contents to compare with.)

You can also list individual packages to verify as the above command can 
take awhile as it calculates md5sums on thousands of installed files.

$ sudo dpkg -V apparmor (will quickly tell you if there is integrity 
issues with the apparmor package files.)

Note that -V currently only reports md5sum verification, not whether a 
file has had its permissions changed from when it was first installed.

-- 
Keith

More information about the ubuntu-users mailing list