Gaah, and shortly after submitting this one I remembered that Ubuntu
enables AppArmor by default:
-------------------------------------------------
$ sudo aa-status
apparmor module is loaded.
173 profiles are loaded.
90 profiles are in enforce mode.
[...]
lsblk
$ sudo aa-complain /usr/bin/lsblk
Setting /usr/bin/lsblk to complain mode.
Warning: profile lsblk represents multiple programs
Warning: profile lsblk represents multiple programs
$ sudo /usr/bin/lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
xvda 202:0 0 30G 0 disk
├─xvda1 202:1 0 1M 0 part
└─xvda2 202:2 0 30G 0 part /
xvdb 202:16 0 25G 0 disk /home
zram0 251:0 0 1.9G 0 disk [SWAP]
-------------------------------------------------
OK, this works. I guess the fix is to correct the AA profile for lsblk?
The audit log now says:
-------------------------------------------------
$ sudo lsblk /dev/xvda
$ sudo dmesg -t
audit: type=1400 audit(1748018324.033:624): apparmor="ALLOWED" operation="open"
class="file" profile="lsblk" name="/sys/devices/vbd-51712/block/xvda/"
pid=44598 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[...]
-------------------------------------------------
Hm...
-------------------------------------------------
$ grep -e dev/block -e devices /etc/apparmor.d/lsblk
@{sys}/dev/block/ r,
@{sys}/devices/pci[0-9]*:[0-9]*/** r,
@{sys}/devices/virtual/** r,
@{sys}/devices/platform/** r,
@{sys}/devices/**/host@{int}/** r,
-------------------------------------------------
Ah "/sys/devices/vbd" is missing here, the following should do the
trick:
-------------------------------------------------
$ diff -u ~/trash/lsblk_aa.bak /etc/apparmor.d/lsblk
--- /root/trash/lsblk_aa.bak 2025-05-23 18:34:11.248052317 +0200
+++ /etc/apparmor.d/lsblk 2025-05-23 18:46:36.620019034 +0200
@@ -25,6 +25,7 @@
@{sys}/devices/pci[0-9]*:[0-9]*/** r,
@{sys}/devices/virtual/** r,
@{sys}/devices/platform/** r,
+ @{sys}/devices/vbd-[0-9]*/** r,
# Needed for disks over network e.g. Hyper-V VMs (including Azure), IBM
Power, ...
@{sys}/devices/**/host@{int}/** r,
-------------------------------------------------
Not sure if that's strict enough, but with that profile "lsblk" works
again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2111604
Title:
lsblk: failed to get sysfs name: Permission denied
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
