Public bug reported:
On Plucky, the output of lsblk does not list PCI block devices whose
BDFs contain hex digits in [a-f], instead resulting in apparmor="DENIED"
messages in dmesg for those devices.
In /etc/apparmor.d/lsblk, the line @{sys}/devices/pci[0-9]*:[0-9]*/**
attempts to match paths with PCI BDFs, which are in hex, using only
decimal digits [0-9] (thus devices whose BDFs contain hex digits in
[a-f] are omitted). I've submitted an MR upstream with a simple fix (1).
The lsblk AppArmor profile was first introduced in Plucky (2), so prior
releases should not be affected by this issue.
(1) https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
(2)
https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu/lsblk_mr_1437.patch?h=ubuntu/plucky
Ex.: Expected to see all nvmeXn1 (0-9) devices listed, but some are
omitted, such as nvme2n1. nvme2n1 appears under the PCI segment:bus
directory pci0000:ae (containing hex digits in [a-f]), thus AppArmor
denials appear in dmesg and nvme2n1 is omitted from the output of lsblk.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 29.3G 0 disk
└─sda1 8:1 1 29.3G 0 part
sdb 8:16 1 0B 0 disk
sr0 11:0 1 1024M 0 rom
nvme1n1 259:0 0 894.3G 0 disk
├─nvme1n1p1 259:2 0 512M 0 part /boot/efi
└─nvme1n1p2 259:3 0 893.8G 0 part /
nvme0n1 259:1 0 894.3G 0 disk
nvme4n1 259:4 0 3.5T 0 disk
nvme9n1 259:6 0 3.5T 0 disk
nvme8n1 259:8 0 3.5T 0 disk
nvme6n1 259:11 0 3.5T 0 disk
$ readlink -f /sys/class/block/nvme2n1/device
/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2
$ sudo dmesg | grep -i nvme
...
[11748.808896] audit: type=1400 audit(1750465699.990:180): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/hidden"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808904] audit: type=1400 audit(1750465699.990:181): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/dev"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808931] audit: type=1400 audit(1750465699.990:182): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/dev"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
...
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2115234
Title:
Improper matching for hex PCI BDFs in lsblk profile
Status in apparmor package in Ubuntu:
New
Bug description:
On Plucky, the output of lsblk does not list PCI block devices whose
BDFs contain hex digits in [a-f], instead resulting in
apparmor="DENIED" messages in dmesg for those devices.
In /etc/apparmor.d/lsblk, the line @{sys}/devices/pci[0-9]*:[0-9]*/**
attempts to match paths with PCI BDFs, which are in hex, using only
decimal digits [0-9] (thus devices whose BDFs contain hex digits in
[a-f] are omitted). I've submitted an MR upstream with a simple fix
(1).
The lsblk AppArmor profile was first introduced in Plucky (2), so
prior releases should not be affected by this issue.
(1) https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
(2)
https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu/lsblk_mr_1437.patch?h=ubuntu/plucky
Ex.: Expected to see all nvmeXn1 (0-9) devices listed, but some are
omitted, such as nvme2n1. nvme2n1 appears under the PCI segment:bus
directory pci0000:ae (containing hex digits in [a-f]), thus AppArmor
denials appear in dmesg and nvme2n1 is omitted from the output of
lsblk.
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 29.3G 0 disk
└─sda1 8:1 1 29.3G 0 part
sdb 8:16 1 0B 0 disk
sr0 11:0 1 1024M 0 rom
nvme1n1 259:0 0 894.3G 0 disk
├─nvme1n1p1 259:2 0 512M 0 part /boot/efi
└─nvme1n1p2 259:3 0 893.8G 0 part /
nvme0n1 259:1 0 894.3G 0 disk
nvme4n1 259:4 0 3.5T 0 disk
nvme9n1 259:6 0 3.5T 0 disk
nvme8n1 259:8 0 3.5T 0 disk
nvme6n1 259:11 0 3.5T 0 disk
$ readlink -f /sys/class/block/nvme2n1/device
/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2
$ sudo dmesg | grep -i nvme
...
[11748.808896] audit: type=1400 audit(1750465699.990:180): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/hidden"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808904] audit: type=1400 audit(1750465699.990:181): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/dev"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808931] audit: type=1400 audit(1750465699.990:182): apparmor="DENIED"
operation="open" class="file" profile="lsblk"
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/dev"
pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2115234/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
