Gaah, and shortly after submitting this one I remembered that Ubuntu
enables AppArmor by default:
-------------------------------------------------
$ sudo aa-status
apparmor module is loaded.
173 profiles are loaded.
90 profiles are in enforce mode.
[...]
lsblk
$ sudo aa-complain /usr/bin/lsblk
Setting /usr/bin/lsblk to complain mode.
Warning: profile lsblk represents multiple programs
Warning: profile lsblk represents multiple programs
$ sudo /usr/bin/lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
xvda 202:0 0 30G 0 disk
├─xvda1 202:1 0 1M 0 part
└─xvda2 202:2 0 30G 0 part /
xvdb 202:16 0 25G 0 disk /home
zram0 251:0 0 1.9G 0 disk [SWAP]
-------------------------------------------------
OK, this works. I guess the fix is to correct the AA profile for lsblk?
The audit log now says:
-------------------------------------------------
$ sudo lsblk /dev/xvda
$ sudo dmesg -t
audit: type=1400 audit(1748018324.033:624): apparmor="ALLOWED" operation="open"
class="file" profile="lsblk" name="/sys/devices/vbd-51712/block/xvda/"
pid=44598 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[...]
-------------------------------------------------
Hm...
-------------------------------------------------
$ grep -e dev/block -e devices /etc/apparmor.d/lsblk
@{sys}/dev/block/ r,
@{sys}/devices/pci[0-9]*:[0-9]*/** r,
@{sys}/devices/virtual/** r,
@{sys}/devices/platform/** r,
@{sys}/devices/**/host@{int}/** r,
-------------------------------------------------
Ah "/sys/devices/vbd" is missing here, the following should do the
trick:
-------------------------------------------------
$ diff -u ~/trash/lsblk_aa.bak /etc/apparmor.d/lsblk
--- /root/trash/lsblk_aa.bak 2025-05-23 18:34:11.248052317 +0200
+++ /etc/apparmor.d/lsblk 2025-05-23 18:46:36.620019034 +0200
@@ -25,6 +25,7 @@
@{sys}/devices/pci[0-9]*:[0-9]*/** r,
@{sys}/devices/virtual/** r,
@{sys}/devices/platform/** r,
+ @{sys}/devices/vbd-[0-9]*/** r,
# Needed for disks over network e.g. Hyper-V VMs (including Azure), IBM
Power, ...
@{sys}/devices/**/host@{int}/** r,
-------------------------------------------------
Not sure if that's strict enough, but with that profile "lsblk" works
again.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2111604
Title:
lsblk: failed to get sysfs name: Permission denied
Status in apparmor package in Ubuntu:
New
Bug description:
After upgrading from 24.10 to 25.04 the "lsblk" command (from util-
linux) is not seeing disks, and shows only my ZRAM device:
-------------------------------------------------
$ df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/xvda2 30G 12G 18G 40% /
$ sudo lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
zram0 251:0 0 1.9G 0 disk [SWAP]
$ sudo lsblk /dev/xvda*
lsblk: /dev/xvda: failed to get sysfs name: Permission denied
lsblk: /dev/xvda1: failed to get sysfs name: Permission denied
lsblk: /dev/xvda2: failed to get sysfs name: Permission denied
-------------------------------------------------
The systems boots and works just fine, and other tools can access the
disks w/o problems. For example:
-------------------------------------------------
$ sudo blkid /dev/xvda*
/dev/xvda: PTUUID="1353f786-28c0-4dcc-9932-4c052dcc9868" PTTYPE="gpt"
/dev/xvda1: PARTUUID="e2df2843-3aa1-4691-a12f-3158a99dec70"
/dev/xvda2: LABEL="root" UUID="040da274-83bc-43e7-b2f4-23c7ff6ca0d3" [...]
-------------------------------------------------
The system is fully patched (util-linux 2.40.2-14ubuntu1), so I tried
to reproduce this with the upstream version, and this works:
-------------------------------------------------
$ lsblk --version
lsblk from util-linux 2.40.2
$ ./lsblk --version
lsblk from util-linux 2.42-start-365-c6059
$ sudo ./lsblk /dev/xvda
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
xvda 202:0 0 30G 0 disk
├─xvda1 202:1 0 1M 0 part
└─xvda2 202:2 0 30G 0 part /
-------------------------------------------------
Using strace(1) on the Ubuntu version shows:
-------------------------------------------------
# LC_ALL=C strace -tt -s1024 -f /usr/bin/lsblk /dev/xvda
[...]
access("/etc/selinux/config", F_OK) = -1 ENOENT (No such file or
directory)
access("/sys/dev/block", R_OK) = 0
ioctl(1, TIOCGWINSZ, {ws_row=35, ws_col=160, ws_xpixel=0, ws_ypixel=0}) = 0
newfstatat(AT_FDCWD, "/dev/xvda", {st_mode=S_IFBLK|0660,
st_rdev=makedev(0xca, 0), ...}, 0) = 0
openat(AT_FDCWD, "/sys/dev/block/202:0", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission denied)
write(2, "lsblk: ", 7lsblk: ) = 7
write(2, "/dev/xvda: failed to get sysfs name", 35/dev/xvda: failed to get
sysfs name) = 35
write(2, ": Permission denied\n", 20: Permission denied
) = 20
dup(1) = 3
close(3) = 0
dup(2) = 3
close(3) = 0
exit_group(32) = ?
+++ exited with 32 +++
-------------------------------------------------
But the /sys entries look just fine:
-------------------------------------------------
$ ls -Lld /dev/xvda /sys/dev/block/202:0
brw-rw---- 1 root disk 202, 0 May 23 17:59 /dev/xvda
drwxr-xr-x 11 root root 0 May 23 18:26 /sys/dev/block/202:0
$ sudo grep . /sys/dev/block/202:0/* 2>/dev/null
/sys/dev/block/202:0/alignment_offset:0
/sys/dev/block/202:0/capability:0
/sys/dev/block/202:0/dev:202:0
/sys/dev/block/202:0/discard_alignment:0
/sys/dev/block/202:0/diskseq:9
/sys/dev/block/202:0/events_poll_msecs:-1
/sys/dev/block/202:0/ext_range:256
/sys/dev/block/202:0/hidden:0
/sys/dev/block/202:0/inflight: 0 0
/sys/dev/block/202:0/partscan:1
/sys/dev/block/202:0/range:16
/sys/dev/block/202:0/removable:0
/sys/dev/block/202:0/ro:0
/sys/dev/block/202:0/size:62914560
/sys/dev/block/202:0/stat: 26125 219 1630424 42343 21276
600 1461456 69071 0 18884 114732 0 0 0
0 712 3318
/sys/dev/block/202:0/uevent:MAJOR=202
/sys/dev/block/202:0/uevent:MINOR=0
/sys/dev/block/202:0/uevent:DEVNAME=xvda
/sys/dev/block/202:0/uevent:DEVTYPE=disk
/sys/dev/block/202:0/uevent:DISKSEQ=9
-------------------------------------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
