HEX
Server: Apache/2.4.58 (Ubuntu)
System: Linux ns3133907 6.8.0-86-generic #87-Ubuntu SMP PREEMPT_DYNAMIC Mon Sep 22 18:03:36 UTC 2025 x86_64
User: cssnetorguk (1024)
PHP: 8.2.28
Disabled: NONE
Upload Files
File: //proc/thread-self/root/etc/apparmor.d/ubuntu_pro_esm_cache
abi <abi/3.0>,

include <tunables/global>

# attach_disconnected is needed in all profiles defined here because this
# service runs with systemd's PrivateTmp=true

profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/user-tmp>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability setgid,
  capability setuid,

  signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
  signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,

  /etc/apt/** r,
  /etc/machine-id r,
  /etc/ubuntu-advantage/uaclient.conf r,
  # GH: #3109
  # Allow reading the os-release file (possibly a symlink to /usr/lib).
  /{etc/,usr/lib/,lib/}os-release r,

  /run/ubuntu-advantage/ rw,
  /run/ubuntu-advantage/** rw,

  /run/systemd/container/ r,
  /run/systemd/container/** r,

  /{,usr/}bin/apt mrix,
  /{,usr/}bin/apt-cache mrix,
  /{,usr/}bin/ischroot mrix,
  /{,usr/}bin/python3.{1,}[0-9] mrix,
  # LP: #2067319
  /{,usr/}bin/uname mrix,

  /{,usr/}bin/cloud-id Cx -> cloud_id,
  # LP: #2067319
  /{,usr/}bin/ps Cx -> ps,
  /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
  /{,usr/}bin/dpkg Cx -> dpkg,
  /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
  /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
  /{,usr/}lib/apt/methods/http Cx -> apt_methods,
  /{,usr/}lib/apt/methods/https Cx -> apt_methods,
  /{,usr/}lib/apt/methods/store Cx -> apt_methods,
  # when there is no status.json cached, esm-cache.service will invoke "snap status"
  /{,usr/}bin/snap PUx,

  /usr/share/dpkg/** r,
  /usr/share/keyrings/* r,

  /var/cache/apt/** rw,

  /var/lib/apt/** r,
  /var/lib/dpkg/** r,
  /var/lib/ubuntu-advantage/** rwk,

  /var/log/ubuntu-advantage.log rw,

  @{PROC}/@{pid}/fd/ r,
  @{PROC}/1/cgroup r,
  @{PROC}/version_signature r,
  @{PROC}/@{pid}/mountinfo r,
  @{PROC}/@{pid}/status r,
  @{PROC}/@{pid}/stat r,
  @{PROC}/sys/kernel/osrelease r,



  profile ps flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice>

    capability sys_ptrace,

    # GH: #3079
    capability dac_read_search,
    capability dac_override,

    # GH: #3119
    ptrace (read,trace),

    # LP: #2067319
    /{,usr/}bin/ps mrix,

    /dev/tty r,

    @{PROC}/ r,
    @{PROC}/@{pid}/** r,
    @{PROC}/uptime r,
    @{PROC}/sys/kernel/** r,
    # GH: #3079
    @{PROC}/tty/drivers r,
    /sys/devices/system/node/ r,
    /sys/devices/system/node/** r,
  }

  profile cloud_id flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/python>

    ptrace read peer=unconfined,

    /etc/cloud/** r,
    /etc/apt/** r,
    /etc/apport/** r,
    /etc/ssl/openssl.cnf r,

    @{PROC}/@{pid}/fd/ r,
    @{PROC}/cmdline r,
    @{PROC}/1/environ r,
    @{PROC}/1/cmdline r,
    @{PROC}/@{pid}/status r,

    /run/cloud-init/** r,

    /{,usr/}bin/ r,
    /{,usr/}bin/cloud-id r,
    /{,usr/}bin/python3.{1,}[0-9] mrix,
    # LP: #2067319
    /{,usr/}bin/uname mrix,

    /usr/share/dpkg/** r,

    # workarounds for
    # https://gitlab.com/apparmor/apparmor/-/issues/346
    # LP: #2067319
    /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
    /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,

    /var/lib/cloud/** r,



  }

  profile dpkg flags=(attach_disconnected) {
    include <abstractions/base>

    capability setgid,

    /etc/dpkg/** r,

    /{,usr/}bin/dpkg mr,

    # LP: #2067810
    /var/lib/dpkg/** r,

  }

  profile ubuntu_distro_info flags=(attach_disconnected) {
    include <abstractions/base>

    /{,usr/}bin/ubuntu-distro-info mr,

    /usr/share/distro-info/** r,

  }

  profile apt_methods flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/ssl_certs>
    include <abstractions/user-tmp>

    capability setgid,
    capability setuid,

    network inet stream,
    network inet6 stream,

    signal receive set=int peer=ubuntu_pro_esm_cache,

    / r,
    /etc/dpkg/** r,

    /{,usr/}lib/apt/methods/gpgv mr,
    /{,usr/}lib/apt/methods/http mr,
    /{,usr/}lib/apt/methods/https mr,
    /{,usr/}lib/apt/methods/store mr,

    /usr/share/dpkg/** r,

    # LP: #2067810
    /var/lib/dpkg/** r,

    /var/lib/ubuntu-advantage/apt-esm/** rwk,

    @{PROC}/@{pid}/cgroup r,
    @{PROC}/@{pid}/fd/ r,

  }

  profile apt_methods_gpgv flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/ssl_certs>
    include <abstractions/user-tmp>

    capability setgid,
    capability setuid,

    signal receive set=int peer=ubuntu_pro_esm_cache,

    / r,
    /etc/dpkg/** r,

    # there are just too many shell script tools that are called, like head,
    # tail, cut, sed, etc
    /{,usr/}bin/* mrix,

    /{,usr/}lib/apt/methods/gpgv mr,

    /usr/share/dpkg/** r,
    /usr/share/keyrings/* r,

    /var/lib/ubuntu-advantage/apt-esm/** r,

    @{PROC}/@{pid}/fd/ r,

    # apt-config command needs these
    # Note: observed only in xenial tests, but makes sense for all releases
    /etc/apt/** r,
    /var/lib/apt/** r,

    # LP: #2067810
    /var/lib/dpkg/** r,

  }

  # Site-specific additions and overrides. See local/README for details.
  #include <local/ubuntu_pro_esm_cache>
}

  # these profiles were initially subprofiles of cloud-id, but:
  # a) that crashes the kernel
  # https://gitlab.com/apparmor/apparmor/-/issues/346
  # b) <= bionic doesn't like the // or - chars in profile names
  # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac

  profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
    include <abstractions/base>

    capability net_admin,
    capability sys_ptrace,

    ptrace read peer=unconfined,


    unix bind addr=@*/bus/systemctl/{,system},


    # LP: #2067319
    /{,usr/}bin/systemctl mr,

    /run/systemd/private rw,
    /run/systemd/** r,

    @{PROC}/cmdline r,
    # GH: #3119
    @{PROC}/1/* r,
    @{PROC}/@{pid}/stat r,
    @{PROC}/sys/kernel/osrelease r,
    # GH: 3119
    /sys/firmware/efi/efivars/** r,
  }

  profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
    include <abstractions/base>

    capability sys_ptrace,

    ptrace read peer=unconfined,

    /{,usr/}bin/systemd-detect-virt mr,

    /run/systemd/** r,

    /sys/devices/virtual/** r,
    # GH: #3119
    /sys/firmware/efi/efivars/** r,
    @{PROC}/@{pid}/status r,
    @{PROC}/@{pid}/stat r,
    @{PROC}/1/environ r,
    @{PROC}/1/sched r,
    @{PROC}/cmdline r,
    @{PROC}/1/cmdline r,
    @{PROC}/sys/kernel/osrelease r,

  }