debcrafters-packages team mailing list archive

Thread
Date
[Bug 2111604] Re: lsblk: failed to get sysfs name: Permission denied

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Christian Kujau <2111604@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 May 2025 17:00:35 -0000
Reply-to: Bug 2111604 <2111604@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Gaah, and shortly after submitting this one I remembered that Ubuntu
enables AppArmor by default:

-------------------------------------------------
$ sudo aa-status
apparmor module is loaded.
173 profiles are loaded.
90 profiles are in enforce mode.
[...]
   lsblk


$ sudo aa-complain /usr/bin/lsblk 
Setting /usr/bin/lsblk to complain mode.
Warning: profile lsblk represents multiple programs
Warning: profile lsblk represents multiple programs

$ sudo /usr/bin/lsblk 
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
xvda    202:0    0   30G  0 disk 
├─xvda1 202:1    0    1M  0 part 
└─xvda2 202:2    0   30G  0 part /
xvdb    202:16   0   25G  0 disk /home
zram0   251:0    0  1.9G  0 disk [SWAP]
-------------------------------------------------

OK, this works. I guess the fix is to correct the AA profile for lsblk?
The audit log now says:

-------------------------------------------------
$ sudo lsblk /dev/xvda
$ sudo dmesg -t
audit: type=1400 audit(1748018324.033:624): apparmor="ALLOWED" operation="open" class="file" profile="lsblk" name="/sys/devices/vbd-51712/block/xvda/" pid=44598 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

[...]
-------------------------------------------------

Hm...

-------------------------------------------------
$ grep -e dev/block -e devices /etc/apparmor.d/lsblk 
  @{sys}/dev/block/ r,
  @{sys}/devices/pci[0-9]*:[0-9]*/** r,
  @{sys}/devices/virtual/** r,
  @{sys}/devices/platform/** r,
  @{sys}/devices/**/host@{int}/** r,
-------------------------------------------------

Ah "/sys/devices/vbd" is missing here, the following should do the
trick:


-------------------------------------------------
$ diff -u ~/trash/lsblk_aa.bak /etc/apparmor.d/lsblk 
--- /root/trash/lsblk_aa.bak	2025-05-23 18:34:11.248052317 +0200
+++ /etc/apparmor.d/lsblk	2025-05-23 18:46:36.620019034 +0200
@@ -25,6 +25,7 @@
   @{sys}/devices/pci[0-9]*:[0-9]*/** r,
   @{sys}/devices/virtual/** r,
   @{sys}/devices/platform/** r,
+  @{sys}/devices/vbd-[0-9]*/** r,
 
   # Needed for disks over network e.g. Hyper-V VMs (including Azure), IBM Power, ...
   @{sys}/devices/**/host@{int}/** r,
-------------------------------------------------

Not sure if that's strict enough, but with that profile "lsblk" works
again.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2111604

Title:
  lsblk: failed to get sysfs name: Permission denied

Status in apparmor package in Ubuntu:
  New

Bug description:
  After upgrading from 24.10 to 25.04 the "lsblk" command (from util-
  linux) is not seeing disks, and shows only my ZRAM device:

  -------------------------------------------------
  $ df -h /
  Filesystem      Size  Used Avail Use% Mounted on
  /dev/xvda2       30G   12G   18G  40% /

  $ sudo lsblk 
  NAME  MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
  zram0 251:0    0  1.9G  0 disk [SWAP]

  $ sudo lsblk /dev/xvda*
  lsblk: /dev/xvda: failed to get sysfs name: Permission denied
  lsblk: /dev/xvda1: failed to get sysfs name: Permission denied
  lsblk: /dev/xvda2: failed to get sysfs name: Permission denied
  -------------------------------------------------

  The systems boots and works just fine, and other tools can access the
  disks w/o problems. For example:

  
  -------------------------------------------------
  $ sudo blkid /dev/xvda*
  /dev/xvda: PTUUID="1353f786-28c0-4dcc-9932-4c052dcc9868" PTTYPE="gpt"
  /dev/xvda1: PARTUUID="e2df2843-3aa1-4691-a12f-3158a99dec70"
  /dev/xvda2: LABEL="root" UUID="040da274-83bc-43e7-b2f4-23c7ff6ca0d3" [...]
  -------------------------------------------------

  The system is fully patched (util-linux 2.40.2-14ubuntu1), so I tried
  to reproduce this with the upstream version, and this works:

  -------------------------------------------------
  $ lsblk --version
  lsblk from util-linux 2.40.2

  $ ./lsblk --version
  lsblk from util-linux 2.42-start-365-c6059

  $ sudo ./lsblk /dev/xvda
  NAME    MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
  xvda    202:0    0  30G  0 disk 
  ├─xvda1 202:1    0   1M  0 part 
  └─xvda2 202:2    0  30G  0 part /
  -------------------------------------------------

  Using strace(1) on the Ubuntu version shows:

  -------------------------------------------------
  # LC_ALL=C strace -tt -s1024 -f /usr/bin/lsblk /dev/xvda 
  [...]
  access("/etc/selinux/config", F_OK)     = -1 ENOENT (No such file or directory)
  access("/sys/dev/block", R_OK)          = 0
  ioctl(1, TIOCGWINSZ, {ws_row=35, ws_col=160, ws_xpixel=0, ws_ypixel=0}) = 0
  newfstatat(AT_FDCWD, "/dev/xvda", {st_mode=S_IFBLK|0660, st_rdev=makedev(0xca, 0), ...}, 0) = 0
  openat(AT_FDCWD, "/sys/dev/block/202:0", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
  write(2, "lsblk: ", 7lsblk: )                  = 7
  write(2, "/dev/xvda: failed to get sysfs name", 35/dev/xvda: failed to get sysfs name) = 35
  write(2, ": Permission denied\n", 20: Permission denied
  )   = 20
  dup(1)                                  = 3
  close(3)                                = 0
  dup(2)                                  = 3
  close(3)                                = 0
  exit_group(32)                          = ?
  +++ exited with 32 +++
  -------------------------------------------------

  
  But the /sys entries look just fine:

  
  -------------------------------------------------
  $ ls -Lld /dev/xvda /sys/dev/block/202:0
  brw-rw----  1 root disk 202, 0 May 23 17:59 /dev/xvda
  drwxr-xr-x 11 root root      0 May 23 18:26 /sys/dev/block/202:0

  $ sudo grep . /sys/dev/block/202:0/* 2>/dev/null 
  /sys/dev/block/202:0/alignment_offset:0
  /sys/dev/block/202:0/capability:0
  /sys/dev/block/202:0/dev:202:0
  /sys/dev/block/202:0/discard_alignment:0
  /sys/dev/block/202:0/diskseq:9
  /sys/dev/block/202:0/events_poll_msecs:-1
  /sys/dev/block/202:0/ext_range:256
  /sys/dev/block/202:0/hidden:0
  /sys/dev/block/202:0/inflight:       0        0
  /sys/dev/block/202:0/partscan:1
  /sys/dev/block/202:0/range:16
  /sys/dev/block/202:0/removable:0
  /sys/dev/block/202:0/ro:0
  /sys/dev/block/202:0/size:62914560
  /sys/dev/block/202:0/stat:   26125      219  1630424    42343    21276      600  1461456    69071        0    18884   114732        0        0        0        0      712     3318
  /sys/dev/block/202:0/uevent:MAJOR=202
  /sys/dev/block/202:0/uevent:MINOR=0
  /sys/dev/block/202:0/uevent:DEVNAME=xvda
  /sys/dev/block/202:0/uevent:DEVTYPE=disk
  /sys/dev/block/202:0/uevent:DISKSEQ=9
  -------------------------------------------------

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604/+subscriptions
References

[Bug 2111604] [NEW] lsblk: failed to get sysfs name: Permission denied
From: Christian Kujau, 2025-05-23