@rlee287 Sorry for the confusion. The scope of the original MR and bug were extended beyond just the lsblk profile as the same improper matching for PCI device paths is present in many other profiles (link below). I will update the bug title and description here shortly.
https://gitlab.com/apparmor/apparmor/-/merge_requests/1725 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2115234 Title: Improper matching for hex PCI BDFs in lsblk profile Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Status in apparmor source package in Noble: New Status in apparmor source package in Plucky: New Status in apparmor source package in Questing: New Bug description: On Plucky, the output of lsblk does not list PCI block devices whose BDFs contain hex digits in [a-f], instead resulting in apparmor="DENIED" messages in dmesg for those devices. In /etc/apparmor.d/lsblk, the line @{sys}/devices/pci[0-9]*:[0-9]*/** attempts to match paths with PCI BDFs, which are in hex, using only decimal digits [0-9] (thus devices whose BDFs contain hex digits in [a-f] are omitted). I've submitted an MR upstream with a simple fix (1). The lsblk AppArmor profile was first introduced in Plucky (2), so prior releases should not be affected by this issue. (1) https://gitlab.com/apparmor/apparmor/-/merge_requests/1725 (2) https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu/lsblk_mr_1437.patch?h=ubuntu/plucky Ex.: Expected to see all nvmeXn1 (0-9) devices listed, but some are omitted, such as nvme2n1. nvme2n1 appears under the PCI segment:bus directory pci0000:ae (containing hex digits in [a-f]), thus AppArmor denials appear in dmesg and nvme2n1 is omitted from the output of lsblk. $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 1 29.3G 0 disk └─sda1 8:1 1 29.3G 0 part sdb 8:16 1 0B 0 disk sr0 11:0 1 1024M 0 rom nvme1n1 259:0 0 894.3G 0 disk ├─nvme1n1p1 259:2 0 512M 0 part /boot/efi └─nvme1n1p2 259:3 0 893.8G 0 part / nvme0n1 259:1 0 894.3G 0 disk nvme4n1 259:4 0 3.5T 0 disk nvme9n1 259:6 0 3.5T 0 disk nvme8n1 259:8 0 3.5T 0 disk nvme6n1 259:11 0 3.5T 0 disk $ readlink -f /sys/class/block/nvme2n1/device /sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2 $ sudo dmesg | grep -i nvme ... [11748.808896] audit: type=1400 audit(1750465699.990:180): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/hidden" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [11748.808904] audit: type=1400 audit(1750465699.990:181): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/dev" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [11748.808931] audit: type=1400 audit(1750465699.990:182): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/dev" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2115234/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
