@enr0n Thanks for the insight and suggestion! I copied a minimal version
of the lsblk profile containing only what is necessary to enable the
problematic rule seen in lsblk on plucky and in other profiles across
releases (other rules in the full lsblk profile from plucky rely on
things not present in apparmor versions on prior releases and are not
relevant to the problematic rule). The before/after comparison here is
consistent with all changes made across affected profiles on jammy and
noble, where the same decimal-matching rule used in /sys/devices/ PCI
paths was updated to use a new @{pci_bus} abstraction which is
appropriately hex-matching.
---
I tested 4.0.1really4.0.1-0ubuntu0.24.04.5 from noble-proposed and
3.0.4-2ubuntu2.5 from jammy-proposed and verified the issue is fixed in
both cases:
* requires a machine with PCI block devices whose bus/domain begins with a hex
char a-f (usually a machine with many such devices)
1. enabled -proposed, install apparmor from -proposed, verify correct version
was installed, restart apparmor service
2. add a profile for lsblk containing an example of the incorrect
decimal-matching pattern used across the profiles affected (shown below), load
the profile (apparmor_parser -r /etc/apparmor.d/lsblk)
3. invoke `lsblk`, verify that some block devices are omitted; each block
device omitted is one whose PCI bus/domain begins with a hex char a-f and
omissions are accompanied by 'apparmor="DENIED"' messages in dmesg
4. edit the lsblk profile to use the the new pci_bus hex-matching abstraction
consistent with how the problematic rule was addressed in all other affected
profiles, reload the profile
5. invoke `lsblk`, verify that no block devices are omitted; each block device
whose PCI bus/domain begins with a hex char a-f is now correctly listed
/etc/apparmor.d/lsblk before (failure case, decimal-matching /sys/devices/ PCI
rule present in other affected profiles):
include <tunables/global>
profile lsblk /usr/bin/lsblk {
include <abstractions/base>
@{sys}/block/ r,
@{sys}/class/block/ r,
@{sys}/dev/block/ r,
@{sys}/devices/pci[0-9]*:[0-9]*/** r, # <--
}
/etc/apparmor.d/lsblk after (passing case, updated rule now used in all other
affected profiles):
include <tunables/global>
profile lsblk /usr/bin/lsblk {
include <abstractions/base>
@{sys}/block/ r,
@{sys}/class/block/ r,
@{sys}/dev/block/ r,
@{sys}/devices/@{pci_bus}/** r, # <--
}
** Tags removed: verification-needed-jammy verification-needed-noble
** Tags added: verification-done-jammy verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115234
Title:
Improper globbing in rules for /sys/devices PCI paths
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2115234/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
