MP in upstream at https://gitlab.com/apparmor/apparmor/-/merge_requests/1808
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2126920 Title: lsblk profile need to allow read access to Azure NVMe ACPI hierarchy Status in apparmor package in Ubuntu: New Status in apparmor source package in Questing: New Bug description: When running tests of azure-vm-utils package on Questing 25.10 on an Azure VM machines we see: ubuntu@nmvedirect:~$ python3 --version Python 3.13.7 ubuntu@nmvedirect:~$ sudo python3 ./selftest.py azure-nvme-id info: AzureNvmeIdInfo(azure_nvme_id_stdout='/dev/nvme0n1: type=os\n/dev/nvme1n1: type=local,index=1,name=nvme-110G-1\n', azure_nvme_id_stderr='', azure_nvme_id_returncode=0, azure_nvme_id_disks={'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model=None, nvme_id='type=os', type='os', index=None, lun=None, name=None, extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model=None, nvme_id='type=local,index=1,name=nvme-110G-1', type='local', index=1, lun=None, name='nvme-110G-1', extra={})}, azure_nvme_id_json_stdout='[\n {\n "path": "/dev/nvme0n1",\n "model": "MSFT NVMe Accelerator v1.0",\n "properties": {\n "type": "os"\n },\n "vs": ""\n },\n {\n "path": "/dev/nvme1n1",\n "model": "Microsoft NVMe Direct Disk v2",\n "properties": {\n "type": "local",\n "index": 1,\n "name": "nvme-110G-1"\n },\n "vs": "type=local,index=1,name=nvme-110G-1"\n }\n]\n', azure_nvme_id_json_stderr='', azure_nvme_id_json_returncode=0, azure_nvme_id_json_disks={'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model='MSFT NVMe Accelerator v1.0', nvme_id='', type='os', index=None, lun=None, name=None, extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model='Microsoft NVMe Direct Disk v2', nvme_id='', type='local', index=1, lun=None, name='nvme-110G-1', extra={})}, azure_nvme_id_help_stdout='Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n', azure_nvme_id_help_stderr='', azure_nvme_id_help_returncode=0, azure_nvme_id_version_stdout='azure-nvme-id 0.6.0-4\n', azure_nvme_id_version_stderr='', azure_nvme_id_version_returncode=0, azure_nvme_id_version='0.6.0-4', azure_nvme_id_zzz_stdout='Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n', azure_nvme_id_zzz_stderr='invalid argument: zzz\n', azure_nvme_id_zzz_returncode=1) error while fetching disk size: CalledProcessError(32, ['lsblk', '-b', '-n', '-o', 'SIZE', '-d', '/dev/nvme1n1']) Traceback (most recent call last): File "/home/ubuntu/./selftest.py", line 1118, in <module> main() ~~~~^^ File "/home/ubuntu/./selftest.py", line 1110, in main validator = AzureVmUtilsValidator( skip_imds_validation=args.skip_imds_validation, skip_symlink_validation=args.skip_symlink_validation, ) File "/home/ubuntu/./selftest.py", line 867, in __init__ self.disk_info = DiskInfo.gather() ~~~~~~~~~~~~~~~^^ File "/home/ubuntu/./selftest.py", line 427, in gather nvme_local_disk_size_gib = min( get_disk_size_gib(f"/dev/{disk}") for disk in nvme_local_disks ) File "/home/ubuntu/./selftest.py", line 428, in <genexpr> get_disk_size_gib(f"/dev/{disk}") for disk in nvme_local_disks ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^ File "/home/ubuntu/./selftest.py", line 195, in get_disk_size_gib proc = subprocess.run( ["lsblk", "-b", "-n", "-o", "SIZE", "-d", disk_path], ...<3 lines>... check=True, ) File "/usr/lib/python3.13/subprocess.py", line 577, in run raise CalledProcessError(retcode, process.args, output=stdout, stderr=stderr) subprocess.CalledProcessError: Command '['lsblk', '-b', '-n', '-o', 'SIZE', '-d', '/dev/nvme1n1']' returned non-zero exit status 32. This is due to apparmor lsblk profile: sudo dmesg | grep lsblk [ 461.611820] audit: type=1400 audit(1759492274.036:192): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/70b4ac38-05b7-4efe-8862-db2456dfec84/pci05b7:00/05b7:00:00.0/nvme/nvme0/nvme0n1/" pid=1707 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 I'm submitting the attached patch to upstream to fix it, which I tested is OK: ubuntu@t-questing-check-package:~$ sudo vim /etc/apparmor.d/lsblk ubuntu@t-questing-check-package:~$ sudo apparmor_parser -r /etc/apparmor.d/lsblk ubuntu@t-questing-check-package:~$ sudo systemctl reload apparmor ubuntu@t-questing-check-package:~$ sudo ./selftest.py [2025-10-03 14:31:00,379] azure-nvme-id info: AzureNvmeIdInfo(azure_nvme_id_stdout='/dev/nvme0n1: type=local,index=1,name=nvme-110G-1\n/dev/nvme1n1: type=os\n', azure_nvme_id_stderr='', azure_nvme_id_returncode=0, azure_nvme_id_disks={'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model=None, nvme_id='type=local,index=1,name=nvme-110G-1', type='local', index=1, lun=None, name='nvme-110G-1', extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model=None, nvme_id='type=os', type='os', index=None, lun=None, name=None, extra={})}, azure_nvme_id_json_stdout='[\n {\n "path": "/dev/nvme0n1",\n "model": "Microsoft NVMe Direct Disk v2",\n "properties": {\n "type": "local",\n "index": 1,\n "name": "nvme-110G-1"\n },\n "vs": "type=local,index=1,name=nvme-110G-1"\n },\n {\n "path": "/dev/nvme1n1",\n "model": "MSFT NVMe Accelerator v1.0",\n "properties": {\n "type": "os"\n },\n "vs": ""\n }\n]\n', azure_nvme_id_json_stderr='', azure_nvme_id_json_returncode=0, azure_nvme_id_json_disks={'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model='Microsoft NVMe Direct Disk v2', nvme_id='', type='local', index=1, lun=None, name='nvme-110G-1', extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model='MSFT NVMe Accelerator v1.0', nvme_id='', type='os', index=None, lun=None, name=None, extra={})}, azure_nvme_id_help_stdout='Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n', azure_nvme_id_help_stderr='', azure_nvme_id_help_returncode=0, azure_nvme_id_version_stdout='azure-nvme-id 0.6.0-4\n', azure_nvme_id_version_stderr='', azure_nvme_id_version_returncode=0, azure_nvme_id_version='0.6.0-4', azure_nvme_id_zzz_stdout='Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n', azure_nvme_id_zzz_stderr='invalid argument: zzz\n', azure_nvme_id_zzz_returncode=1) [2025-10-03 14:31:00,385] no SCSI resource disk found [2025-10-03 14:31:00,385] disks info: DiskInfo(root_device='nvme1n1p1', dev_disk_azure_links=['/dev/disk/azure/local/by-index/1', '/dev/disk/azure/local/by-name/nvme-110G-1', '/dev/disk/azure/local/by-serial/90df032a12b60d6c0001', '/dev/disk/azure/os', '/dev/disk/azure/os-part1', '/dev/disk/azure/os-part13', '/dev/disk/azure/os-part14', '/dev/disk/azure/os-part15'], dev_disk_azure_resource_disk=None, dev_disk_azure_resource_disk_size_gib=0, nvme_local_disk_size_gib=110, nvme_local_disks_v1=[], nvme_local_disks_v2=['nvme0n1'], nvme_local_disks=['nvme0n1'], nvme_remote_data_disks=[], nvme_remote_disks=[], nvme_remote_os_disk='nvme1n1', root_device_is_nvme=True, scsi_resource_disk=None, scsi_resource_disk_size_gib=0) [2025-10-03 14:31:00,408] sku config: None [2025-10-03 14:31:00,408] validate_azure_nvme_id_help OK: 'Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n' [2025-10-03 14:31:00,408] validate_azure_nvme_id_version OK: 0.6.0-4 [2025-10-03 14:31:00,408] validate_azure_nvme_id_invalid_arg OK: 'Usage: azure-nvme-id [-d|--debug] [-u|--udev|-h|--help|-v|--version]\n -d, --debug Enable debug mode\n -f, --format {plain|json} Output format (default=plain)\n -h, --help Display this help message\n -u, --udev Enable udev mode\n -v, --version Display the version\n' [2025-10-03 14:31:00,408] validate_azure_nvme_disks OK: {'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model=None, nvme_id='type=local,index=1,name=nvme-110G-1', type='local', index=1, lun=None, name='nvme-110G-1', extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model=None, nvme_id='type=os', type='os', index=None, lun=None, name=None, extra={})} [2025-10-03 14:31:00,408] validate_azure_nvmve_id OK: '/dev/nvme0n1: type=local,index=1,name=nvme-110G-1\n/dev/nvme1n1: type=os\n' [2025-10-03 14:31:00,408] validate_azure_nvme_disks OK: {'nvme0n1': AzureNvmeIdDevice(device='/dev/nvme0n1', model=None, nvme_id='type=local,index=1,name=nvme-110G-1', type='local', index=1, lun=None, name='nvme-110G-1', extra={}), 'nvme1n1': AzureNvmeIdDevice(device='/dev/nvme1n1', model=None, nvme_id='type=os', type='os', index=None, lun=None, name=None, extra={})} [2025-10-03 14:31:00,408] validate_azure_nvmve_id_json OK: '[\n {\n "path": "/dev/nvme0n1",\n "model": "Microsoft NVMe Direct Disk v2",\n "properties": {\n "type": "local",\n "index": 1,\n "name": "nvme-110G-1"\n },\n "vs": "type=local,index=1,name=nvme-110G-1"\n },\n {\n "path": "/dev/nvme1n1",\n "model": "MSFT NVMe Accelerator v1.0",\n "properties": {\n "type": "os"\n },\n "vs": ""\n }\n]\n' [2025-10-03 14:31:00,408] validate_dev_disk_azure_links_data OK: [] [2025-10-03 14:31:00,408] validate_dev_disk_azure_links_local OK: ['/dev/disk/azure/local/by-index/1', '/dev/disk/azure/local/by-name/nvme-110G-1', '/dev/disk/azure/local/by-serial/90df032a12b60d6c0001'] [2025-10-03 14:31:00,408] validate_dev_disk_azure_links_os OK: '/dev/disk/azure/os' [2025-10-03 14:31:00,408] validate_dev_disk_azure_links_resource OK: '/dev/disk/azure/resource' [2025-10-03 14:31:00,408] validate_scsi_resource_disk OK: /dev/disk/azure/resource => None [2025-10-03 14:31:00,408] validate_interface enP64000s1 OK: NetworkInterface(name='enP64000s1', driver='mlx5_core', mac='7c:1e:52:5d:4e:18', ipv4_addrs=[], udev_properties={'DEVPATH': '/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/74be939c-fa00-4f1c-92d2-01b92989e8bc/pcifa00:00/fa00:00:02.0/net/enP64000s1', 'INTERFACE': 'enP64000s1', 'IFINDEX': '3', 'SUBSYSTEM': 'net', 'USEC_INITIALIZED': '9137589', 'AZURE_UNMANAGED_SRIOV': '1', 'ID_NET_MANAGED_BY': 'unmanaged', 'NM_UNMANAGED': '1', 'ID_NET_DRIVER': 'mlx5_core', 'ID_BUS': 'pci', 'ID_VENDOR_ID': '0x15b3', 'ID_MODEL_ID': '0x101a', 'ID_PCI_CLASS_FROM_DATABASE': 'Network controller', 'ID_PCI_SUBCLASS_FROM_DATABASE': 'Ethernet controller', 'ID_VENDOR_FROM_DATABASE': 'Mellanox Technologies', 'ID_MODEL_FROM_DATABASE': 'MT28800 Family [ConnectX-5 Ex Virtual Function]', 'ID_NET_NAMING_SCHEME': 'v257', 'ID_NET_NAME_MAC': 'enx7c1e525d4e18', 'ID_OUI_FROM_DATABASE': 'Microsoft', 'ID_NET_NAME_PATH': 'enP64000p0s2', 'ID_NET_NAME_SLOT': 'enP64000s1', 'ID_MM_CANDIDATE': '1', 'ID_PATH': 'acpi-MSFT1000:00-pci-fa00:00:02.0', 'ID_PATH_TAG': 'acpi-MSFT1000_00-pci-fa00_00_02_0', 'ID_NET_LINK_FILE': '/usr/lib/systemd/network/99-default.link', 'ID_NET_NAME': 'enP64000s1', 'SYSTEMD_ALIAS': '/sys/subsystem/net/devices/enP64000s1', 'TAGS': ':systemd:', 'CURRENT_TAGS': ':systemd:'}) [2025-10-03 14:31:00,408] validate_interface eth0 OK: NetworkInterface(name='eth0', driver='hv_netvsc', mac='7c:1e:52:5d:4e:18', ipv4_addrs=['10.0.0.49'], udev_properties={'DEVPATH': '/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/7c1e525d-4e18-7c1e-525d-4e187c1e525d/net/eth0', 'INTERFACE': 'eth0', 'IFINDEX': '2', 'SUBSYSTEM': 'net', 'USEC_INITIALIZED': '3514337', 'ID_NET_DRIVER': 'hv_netvsc', 'NM_UNMANAGED': '1', 'ID_NET_NAMING_SCHEME': 'v257', 'ID_NET_NAME_MAC': 'enx7c1e525d4e18', 'ID_OUI_FROM_DATABASE': 'Microsoft', 'ID_MM_CANDIDATE': '1', 'ID_PATH': 'acpi-MSFT1000:00', 'ID_PATH_TAG': 'acpi-MSFT1000_00', 'ID_NET_LINK_FILE': '/usr/lib/systemd/network/99-default.link', 'ID_NET_NAME': 'eth0', 'SYSTEMD_ALIAS': '/sys/subsystem/net/devices/eth0', 'TAGS': ':systemd:', 'CURRENT_TAGS': ':systemd:'}) [2025-10-03 14:31:00,408] validate_networking OK: NetworkInfo(interfaces={'enP64000s1': NetworkInterface(name='enP64000s1', driver='mlx5_core', mac='7c:1e:52:5d:4e:18', ipv4_addrs=[], udev_properties={'DEVPATH': '/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/74be939c-fa00-4f1c-92d2-01b92989e8bc/pcifa00:00/fa00:00:02.0/net/enP64000s1', 'INTERFACE': 'enP64000s1', 'IFINDEX': '3', 'SUBSYSTEM': 'net', 'USEC_INITIALIZED': '9137589', 'AZURE_UNMANAGED_SRIOV': '1', 'ID_NET_MANAGED_BY': 'unmanaged', 'NM_UNMANAGED': '1', 'ID_NET_DRIVER': 'mlx5_core', 'ID_BUS': 'pci', 'ID_VENDOR_ID': '0x15b3', 'ID_MODEL_ID': '0x101a', 'ID_PCI_CLASS_FROM_DATABASE': 'Network controller', 'ID_PCI_SUBCLASS_FROM_DATABASE': 'Ethernet controller', 'ID_VENDOR_FROM_DATABASE': 'Mellanox Technologies', 'ID_MODEL_FROM_DATABASE': 'MT28800 Family [ConnectX-5 Ex Virtual Function]', 'ID_NET_NAMING_SCHEME': 'v257', 'ID_NET_NAME_MAC': 'enx7c1e525d4e18', 'ID_OUI_FROM_DATABASE': 'Microsoft', 'ID_NET_NAME_PATH': 'enP64000p0s2', 'ID_NET_NAME_SLOT': 'enP64000s1', 'ID_MM_CANDIDATE': '1', 'ID_PATH': 'acpi-MSFT1000:00-pci-fa00:00:02.0', 'ID_PATH_TAG': 'acpi-MSFT1000_00-pci-fa00_00_02_0', 'ID_NET_LINK_FILE': '/usr/lib/systemd/network/99-default.link', 'ID_NET_NAME': 'enP64000s1', 'SYSTEMD_ALIAS': '/sys/subsystem/net/devices/enP64000s1', 'TAGS': ':systemd:', 'CURRENT_TAGS': ':systemd:'}), 'eth0': NetworkInterface(name='eth0', driver='hv_netvsc', mac='7c:1e:52:5d:4e:18', ipv4_addrs=['10.0.0.49'], udev_properties={'DEVPATH': '/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/7c1e525d-4e18-7c1e-525d-4e187c1e525d/net/eth0', 'INTERFACE': 'eth0', 'IFINDEX': '2', 'SUBSYSTEM': 'net', 'USEC_INITIALIZED': '3514337', 'ID_NET_DRIVER': 'hv_netvsc', 'NM_UNMANAGED': '1', 'ID_NET_NAMING_SCHEME': 'v257', 'ID_NET_NAME_MAC': 'enx7c1e525d4e18', 'ID_OUI_FROM_DATABASE': 'Microsoft', 'ID_MM_CANDIDATE': '1', 'ID_PATH': 'acpi-MSFT1000:00', 'ID_PATH_TAG': 'acpi-MSFT1000_00', 'ID_NET_LINK_FILE': '/usr/lib/systemd/network/99-default.link', 'ID_NET_NAME': 'eth0', 'SYSTEMD_ALIAS': '/sys/subsystem/net/devices/eth0', 'TAGS': ':systemd:', 'CURRENT_TAGS': ':systemd:'})}) [2025-10-03 14:31:00,408] validate_sku_config SKIPPED: no sku configuration for VM size 'Standard_E2ads_v6' [2025-10-03 14:31:00,408] success! And, in dmesg: [ 2477.205168] audit: type=1400 audit(1759494289.696:387): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="lsblk" pid=4270 comm="apparmor_parser" [ 2512.115007] audit: type=1400 audit(1759494324.607:388): apparmor="ALLOWED" operation="open" class="file" profile="lsblk" name="/sys/devices/LNXSYSTM:00/LNXSYBUS:00/ACPI0004:00/MSFT1000:00/70b4ac38-05b7-4efe-8862-db2456dfec84/pci05b7:00/05b7:00:00.0/nvme/nvme0/nvme0n1/" pid=4287 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Actually, the tests are skipped as they need to be run inside an Azure VM, but in the CPC Azure squad, we run them manually as part of this package validation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2126920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
