This bug was fixed in the package apparmor - 4.1.0~beta5-0ubuntu12
---------------
apparmor (4.1.0~beta5-0ubuntu12) plucky; urgency=medium
[ Ryan Lee ]
* Add patch to fix lsblk denials on Hyper-V systems (LP: #2103524):
- d/p/u/lsblk_hyper_v_fixup.patch
* Add patch to allow fusermount3 to mount nested subdirectores of
@{run}/user/@{uid} (LP: #2103889):
- d/p/u/fusermount3-mount-nested-subdirs-run-user.patch
* Add patch to fix utils hotkey conflict with ignore (LP: #2104194):
- d/p/u/utils-fix-ignore-hotkey-conflict.patch
* Add patch to fix aa-enforce not handling child profiles (LP: #2104193):
- d/p/u/utils-fix-profile-header-patch-generation.patch
[ Tim Andersson ]
* Allow remmina to make DescribeAll calls through the DBus.
(LP: #2102033):
- d/p/u/remmina-dbus-describeall.patch
-- Ryan Lee <ryan....@canonical.com> Mon, 24 Mar 2025 10:14:46 -0700
** Changed in: apparmor (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2103524
Title:
lsblk apparmor profile denies block device lookup on Azure
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
Release: 25.04
Package version: 4.1.0~beta5-0ubuntu8
# What should happen
`lsbkl` on Azure should list the disk images:
ubuntu@alan-plucky-base-hieursuvme:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 10G 0 disk
└─sda1 8:1 0 10G 0 part /mnt
sdb 8:16 0 30G 0 disk
├─sdb1 8:17 0 28.9G 0 part /
├─sdb13 8:29 0 1023M 0 part /boot
├─sdb14 8:30 0 4M 0 part
└─sdb15 8:31 0 106M 0 part /boot/efi
sr0 11:0 1 628K 0 rom
# What happened instead
The lsblk apparmor profile introduced with 4.1.0~beta5-0ubuntu2 [0]
breaks lsblk on Azure:
ubuntu@alan-plucky-base-hieursuvme:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 628K 0 rom
ubuntu@alan-plucky-base-hieursuvme:~$ journalctl --no-pager | grep DENIED
Mar 17 18:20:08 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742235608.633:177): apparmor="DENIED" operation="open" class="file"
profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0001-8899-0000-000000000000/host1/target1:0:1/1:0:1:0/block/sda/"
pid=822 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 17 18:20:08 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742235608.693:178): apparmor="DENIED" operation="open" class="file"
profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0001-8899-0000-000000000000/host1/target1:0:1/1:0:1:0/block/sda/sda1/"
pid=825 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 17 18:26:45 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742236005.881:182): apparmor="DENIED" operation="open" class="file"
profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0000-8899-0000-000000000000/host0/target0:0:0/0:0:0:0/block/sdb/hidden"
pid=12278 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 17 18:26:45 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742236005.882:183): apparmor="DENIED" operation="open" class="file"
profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0000-8899-0000-000000000000/host0/target0:0:0/0:0:0:0/block/sdb/dev"
pid=12278 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 17 18:26:45
alan-plucky-base-hieursuvme kernel: audit: type=1400 audit(1742236005.882:184):
apparmor="DENIED" operation="open" class="file" profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0001-8899-0000-000000000000/host1/target1:0:1/1:0:1:0/block/sda/hidden"
pid=12278 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 17 18:26:45
alan-plucky-base-hieursuvme kernel: audit: type=1400 audit(1742236005.882:185):
apparmor="DENIED" operation="open" class="file" profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0001-8899-0000-000000000000/host1/target1:0:1/1:0:1:0/block/sda/dev"
pid=12278 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 17 18:26:45 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742236005.882:186): apparmor="DENIED" operation="open" class="file"
profile="lsblk"
name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/00000000-0000-8899-0000-000000000000/host0/target0:0:0/0:0:0:0/block/sdb/sdb1/"
pid=12278 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 17 18:26:45 alan-plucky-base-hieursuvme kernel: audit: type=1400
audit(1742236005.882:187): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/proc/cmdline" pid=12278 comm="lsblk" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
The correct `lsblk` output was achieved by applying the recommended
interim fix with a local lsblk apparmor override and reloading the
profile:
sudo bash -c "echo '@{sys}/devices/LNXSYSTM:*/** r,' >>
/etc/apparmor.d/local/lsblk"
References:
[0]
https://bugs.launchpad.net/ubuntu/+source/apparmor/4.1.0~beta5-0ubuntu2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103524/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
