This bug was fixed in the package apparmor - 4.1.0~beta5-0ubuntu15
---------------
apparmor (4.1.0~beta5-0ubuntu15) questing; urgency=medium
* Add patch to allow unprivileged_userns access to root dir
(https://gitlab.com/apparmor/apparmor/-/issues/505):
- d/p/u/unprivileged_userns_rootdir.patch
* Add patch to fix lsblk accesses on IBM System Z systems (LP: #2107402)
and execution from a confined context (LP: #2107455):
- d/p/u/lsblk-s390-fixes.patch
* Add patch to fix execution of various commands from confined contexts
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1637,
backport of the profile fixes and logprof test fix):
- d/p/u/profiles_ensure_access_to_attach_path.patch
* Add patch to include new QtWebEngineProcess execution path in
plasmashell profile (LP: #2107723):
- d/p/u/plasmashell-QtWebEngineProcess-new-path.patch
* Add patch to allow /cvmfs fusermounts
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1587):
- d/p/u/fusermount3_cvmfs.patch
* Add patch to grant OpenVPN DNS accesses (LP: #2107596, LP: #2109029)
- d/p/u/openvpn_dnsfix.patch
* Add patch to expand allowed fusermount3 flags for fuse_overlayfs
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1673)
- d/p/u/fusermount3_allow_more_flags.patch
* Add patch to fix permission denials for iotop-c (LP: #2107727):
- d/p/u/profiles-give-iotop-c-additional-accesses.patch
* Add patch to fix parser handling of norelatime mount flag
(https://gitlab.com/apparmor/apparmor/-/merge_requests/1679):
- d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch
* Add patch to fix incorrect mount rule documentation in the apparmor.d
man page (https://gitlab.com/apparmor/apparmor/-/merge_requests/1674):
- d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch
- d/p/u/regression-verify-documented-mount-flag-behavior.patch
* d/p/u/remmina_mr_1348.patch, d/p/u/remmina-dbus-describeall.patch:
move the remmina profile to profiles/apparmor/profiles/extras to
disable it by default (LP: #2102033)
* debian/apparmor.install: remove the remmina profile entry
* debian/apparmor-profiles.install: add an entry for the remmina profile
* debian/apparmor.maintscript: remove the remmina profile upon upgrade
-- Ryan Lee <ryan....@canonical.com> Wed, 07 May 2025 11:29:02 -0700
** Changed in: apparmor (Ubuntu)
Status: Confirmed => Fix Released
** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #505
https://gitlab.com/apparmor/apparmor/-/issues/505
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2107402
Title:
lsblk on IBM z Systems blocked by apparmor in 25.04
Status in Release Notes for Ubuntu:
Fix Released
Status in Ubuntu on IBM z Systems:
Confirmed
Status in apparmor package in Ubuntu:
Fix Released
Status in util-linux package in Ubuntu:
Invalid
Bug description:
Fresh install of 25.04 on s390x. Same happens also on upgrade from
24.10 to 25.04
lsblk returns no output
journactl shows it is blocked by apparmor
This works fine for SCSI devices, it fails only for DASD.
```
2025-04-15T15:02:26.048055+00:00 s5lp1-gen03 kernel: kauditd_printk_skb: 6
callbacks suppressed
2025-04-15T15:02:26.048075+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:270): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0000/0.0.0101/block/dasda/hidden"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048077+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:271): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0000/0.0.0101/block/dasda/dev"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048078+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:272): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0003/0.0.0104/block/dasdd/hidden"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048079+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:273): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0003/0.0.0104/block/dasdd/dev"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048080+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:274): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0001/0.0.0102/block/dasdb/hidden"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048080+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:275): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0001/0.0.0102/block/dasdb/dev"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048081+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:276): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0002/0.0.0103/block/dasdc/hidden"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2025-04-15T15:02:26.048081+00:00 s5lp1-gen03 kernel: audit: type=1400
audit(1744729346.034:277): apparmor="DENIED" operation="open" class="file"
profile="lsblk" name="/sys/devices/css0/0.0.0002/0.0.0103/block/dasdc/dev"
pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Attaching also strace
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2107402/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
