[Bug 2115234] [NEW] Improper matching for hex PCI BDFs in lsblk profile

Mon, 23 Jun 2025 20:12:17 -0700 

Public bug reported:

On Plucky, the output of lsblk does not list PCI block devices whose
BDFs contain hex digits in [a-f], instead resulting in apparmor="DENIED"
messages in dmesg for those devices.

In /etc/apparmor.d/lsblk, the line @{sys}/devices/pci[0-9]*:[0-9]*/**
attempts to match paths with PCI BDFs, which are in hex, using only
decimal digits [0-9] (thus devices whose BDFs contain hex digits in
[a-f] are omitted). I've submitted an MR upstream with a simple fix (1).

The lsblk AppArmor profile was first introduced in Plucky (2), so prior
releases should not be affected by this issue.

(1) https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
(2) 
https://git.launchpad.net/ubuntu/+source/apparmor/tree/debian/patches/ubuntu/lsblk_mr_1437.patch?h=ubuntu/plucky

Ex.: Expected to see all nvmeXn1 (0-9) devices listed, but some are
omitted, such as nvme2n1. nvme2n1 appears under the PCI segment:bus
directory pci0000:ae (containing hex digits in [a-f]), thus AppArmor
denials appear in dmesg and nvme2n1 is omitted from the output of lsblk.

$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda           8:0    1  29.3G  0 disk 
└─sda1        8:1    1  29.3G  0 part 
sdb           8:16   1     0B  0 disk 
sr0          11:0    1  1024M  0 rom  
nvme1n1     259:0    0 894.3G  0 disk 
├─nvme1n1p1 259:2    0   512M  0 part /boot/efi
└─nvme1n1p2 259:3    0 893.8G  0 part /
nvme0n1     259:1    0 894.3G  0 disk 
nvme4n1     259:4    0   3.5T  0 disk 
nvme9n1     259:6    0   3.5T  0 disk 
nvme8n1     259:8    0   3.5T  0 disk 
nvme6n1     259:11   0   3.5T  0 disk 

$ readlink -f /sys/class/block/nvme2n1/device
/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2

$ sudo dmesg | grep -i nvme
...
[11748.808896] audit: type=1400 audit(1750465699.990:180): apparmor="DENIED" 
operation="open" class="file" profile="lsblk" 
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/hidden"
 pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808904] audit: type=1400 audit(1750465699.990:181): apparmor="DENIED" 
operation="open" class="file" profile="lsblk" 
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/nvme2n1/dev"
 pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[11748.808931] audit: type=1400 audit(1750465699.990:182): apparmor="DENIED" 
operation="open" class="file" profile="lsblk" 
name="/sys/devices/pci0000:ae/0000:ae:00.0/0000:af:00.0/0000:b0:00.0/0000:b1:00.0/nvme/nvme2/dev"
 pid=3734 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
...

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115234

Title:
  Improper matching for hex PCI BDFs in lsblk profile

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2115234/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to