debcrafters-packages team mailing list archive

Thread
Date
[Bug 2107402] Re: lsblk on IBM z Systems blocked by apparmor in 25.04

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Julian Andres Klode <2107402@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Sep 2025 12:04:47 -0000
Reply-to: Bug 2107402 <2107402@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hello Marian, or anyone else affected,

Accepted apparmor into plucky-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/4.1.0~beta5-0ubuntu14.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
plucky to verification-done-plucky. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-plucky. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: apparmor (Ubuntu Plucky)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-plucky

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2107402

Title:
  lsblk on IBM z Systems blocked by apparmor in 25.04

Status in Release Notes for Ubuntu:
  Fix Released
Status in Ubuntu on IBM z Systems:
  In Progress
Status in apparmor package in Ubuntu:
  Fix Released
Status in util-linux package in Ubuntu:
  Invalid
Status in apparmor source package in Plucky:
  Fix Committed
Status in util-linux source package in Plucky:
  Invalid
Status in apparmor source package in Questing:
  Fix Released
Status in util-linux source package in Questing:
  Invalid

Bug description:
  SRU Justification:

  [ Impact ]

   * lsblk on an s390x system that uses DASD disks shows no output.

   * journactl shows lsblk is blocked by apparmor:
     2025-04-15T15:02:26.048075+00:00 s5lp1-gen03 kernel: audit: type=1400
     audit(1744729346.034:270): apparmor="DENIED" operation="open"
     class="file" profile="lsblk" name="/sys/devices/css0/
     0.0.0000/0.0.0101/block/dasda/hidden" pid=2070 comm="lsblk"
     requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

   * The reason is that the lsblk profile does not allow access
     to /sys/devices/css0.

  [ Test Plan ]

   * Install Ubuntu Server 25.04 on IBM Z in LPAR, z/VM or KVM
     using DASD ECKD disks.

   * Please notice that testing this at install time using the installer
     shell is not sufficient, since the profile is not active at that time.

   * Ensure util-linux and the s390-tools are installed
     (which is by default).

   * Check if apparmor is enabled and the profile active:
     sudo aa-status --enabled
     sudo aa-status --show=all | grep lsblk

   * Do an lsdasd, it should list DASD ECKD disks, similar to:
     $ lsdasd
     Bus-ID    Status    Name      Device  Type         BlkSz  Size      Blocks
     ================================================================================
     0.0.0200  active    dasda     94:0    ECKD         4096   7042MB    1802880
     0.0.0300  active    dasdb     94:4    ECKD         4096   7042MB    1802880
     0.0.0400  active    dasdc     94:8    ECKD         4096   21128MB   5409000

   * Now execute lsblk (and watch the journal)

     - on a system that is not patched,
       one will see no output in the Terminal
       (or in case of running in a container a segfault),
       and messages like this in the journal:
       2025-04-15T15:02:26.048075+00:00 hwe0006 kernel: audit: type=1400
       audit(1744729346.034:270): apparmor="DENIED" operation="open"
       class="file" profile="lsblk" name="/sys/devices/css0/
       0.0.0000/0.0.0200/block/dasda/hidden" pid=2070 comm="lsblk"
       requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
       ...

     - on a patched system, lsblk should provide a proper output
       similar to this:
       $ lsblk
       NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
       loop0                       7:0    0 65.4M  1 loop
       loop1                       7:1    0 65.4M  1 loop /snap/core22/1909
       loop2                       7:2    0 39.9M  1 loop
       loop3                       7:3    0 98.7M  1 loop /snap/lxd/32454
       loop4                       7:4    0 39.9M  1 loop /snap/snapd/23776
       loop5                       7:5    0 65.4M  1 loop
       loop6                       7:6    0  100M  1 loop /snap/lxd/33109
       loop7                       7:7    0 46.2M  1 loop /snap/snapd/24506
       loop8                       7:8    0 65.4M  1 loop /snap/core22/1965
       dasda                      94:0    0 20.6G  0 disk
       └─dasda1                   94:1    0 20.6G  0 part
         └─hwe0006--vg-hwe0006--lv 253:0    0 47.1G  0 lvm  /
       dasdb                      94:4    0  6.9G  0 disk
       ├─dasdb1                   94:5    0    1G  0 part /boot
       └─dasdb2                   94:6    0  5.9G  0 part
         └─hwe0006--vg-hwe0006--lv 253:0    0 47.1G  0 lvm  /
       dasdc                      94:8    0 20.6G  0 disk
       └─dasdc1                   94:9    0 20.6G  0 part
         └─hwe0006--vg-hwe0006--lv 253:0    0 47.1G  0 lvm  /

   * As a regression test, execute lsblk also on a FCP/SCSP
     system, to verify that nothing has changed
     (since this was not affected).

  [ Where problems could occur ]

   * This SRU loosens confinement on the lsblk profile. However, if a user
     manually modified the installed profiles, then the package upgrade would
     cause conflicts, and rejection of the incoming changes (either by hand
     during an interactive upgrade or automatically during an batch unattended
     upgrade) would result in end users not getting the packaged fix.

   * This should not have an impact on other (disk type) devices
     like SCSI/FCP, but better check (see test plan, last bullet).

  [ Other Info ]

   * The modification is already included in questing.

   * The patch was tested also successfully tested in plucky on s390x.
  __________

  Fresh install of 25.04 on s390x. Same happens also on upgrade from
  24.10 to 25.04

  lsblk returns no output

  journactl shows it is blocked by apparmor

  This works fine for SCSI devices, it fails only for DASD.

  ```
  2025-04-15T15:02:26.048055+00:00 s5lp1-gen03 kernel: kauditd_printk_skb: 6 callbacks suppressed
  2025-04-15T15:02:26.048075+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:270): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0000/0.0.0101/block/dasda/hidden" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048077+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:271): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0000/0.0.0101/block/dasda/dev" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048078+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:272): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0003/0.0.0104/block/dasdd/hidden" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048079+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:273): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0003/0.0.0104/block/dasdd/dev" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048080+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:274): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0001/0.0.0102/block/dasdb/hidden" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048080+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:275): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0001/0.0.0102/block/dasdb/dev" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048081+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:276): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0002/0.0.0103/block/dasdc/hidden" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  2025-04-15T15:02:26.048081+00:00 s5lp1-gen03 kernel: audit: type=1400 audit(1744729346.034:277): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/css0/0.0.0002/0.0.0103/block/dasdc/dev" pid=2070 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  ```

  Attaching also strace

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/2107402/+subscriptions