** Summary changed: - Improper matching for hex PCI BDFs in lsblk profile + Improper globbing in rules for /sys/devices PCI paths
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2115234 Title: Improper globbing in rules for /sys/devices PCI paths Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Status in apparmor source package in Noble: New Status in apparmor source package in Plucky: New Status in apparmor source package in Questing: New Bug description: On Plucky, the output of lsblk does not list PCI block devices whose BDFs contain hex digits in [a-f], instead resulting in apparmor="DENIED" messages in dmesg for those devices. In /etc/apparmor.d/lsblk, the line @{sys}/devices/pci[0-9]*:[0-9]*/** attempts to match paths with PCI BDFs, which are in hex, using only decimal digits [0-9] (thus devices whose BDFs contain hex digits in [a-f] are omitted). I've submitted an MR upstream with a simple fix (1). The lsblk AppArmor profile was first introduced in Plucky (2), so prior releases should not be affected by this issue. (1) https://gitlab.com/apparmor/apparmor/-/merge_requests/1725 (2) https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu/lsblk_mr_1437.patch?h=ubuntu/plucky Ex.: Expected to see all nvmeXn1 (0-9) devices listed, but some are omitted, such as nvme2n1. nvme2n1 appears under the PCI segment:bus directory pci0000:ae (containing hex digits in [a-f]), thus AppArmor denials appear in dmesg and nvme2n1 is omitted from the output of lsblk. $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 1 29.3G 0 disk └─sda1 8:1 1 29.3G 0 part sdb 8:16 1 0B 0 disk sr0 11:0 1 1024M 0 rom nvme1n1 259:0 0 894.3G 0 disk ├─nvme1n1p1 259:2 0 512M 0 part /boot/efi └─nvme1n1p2 259:3 0 893.8G 0 part / nvme0n1 259:1 0 894.3G 0 disk nvme4n1 259:4 0 3.5T 0 disk nvme9n1 259:6 0 3.5T 0 disk nvme8n1 259:8 0 3.5T 0 disk nvme6n1 259:11 0 3.5T 0 disk $ readlink -f /sys/class/block/nvme2n1/device /sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2 $ sudo dmesg | grep -i nvme ... [11748.808896] audit: type=1400 audit(1750465699.990:180): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/hidden" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [11748.808904] audit: type=1400 audit(1750465699.990:181): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/dev" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [11748.808931] audit: type=1400 audit(1750465699.990:182): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/dev" pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2115234/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
