Merge profiles: fix regex for hex PCI BDFs

The current lsblk profile contains `@{sys}/devices/pci@{int}:@{int}/** r` (where `@{int}` expands to `[0-9]+`). PCI BDFs are in hex, so block device paths whose BDF contains [a-f] digits are skipped, causing them to be omitted from the output of lsblk. Replacing `@{int}` with `@{hex}` (which expands to `[0-9a-fA-F]+`) ensures PCI block device paths with [a-f] hex digits are correctly matched and displayed in the output of `lsblk`. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1725 Approved-by: Maxime Bélair <maxime.belair@canonical.com> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 10:07:12 +00:00 · 2025-07-24 10:46:00 +00:00 · 2025-07-24 10:46:00 +00:00 · 49cb0fe248
commit 49cb0fe248
parent ab46c224cb b6ad58bbbe
15 changed files with 46 additions and 43 deletions
--- a/profiles/apparmor.d/Xorg
+++ b/profiles/apparmor.d/Xorg
@ -86,7 +86,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  @{sys}/devices/**       r,
  @{sys}/module/**        r,

-  @{sys}/devices/pci*/**/backlight/*/brightness rw,
+  @{sys}/devices/@{pci_bus}/**/backlight/*/brightness rw,

  # Display managers
  @{run}/user/@{uid}/gdm/* r,
@ -135,7 +135,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  # When running without a kernel mode-setting (KMS) driver, Xorg may need
  # these additional permissions. DO NOT enable these unless necessary!
  #nokms#/dev/mem rw,
-  #nokms#@{sys}/devices/pci[0-9]*/*/*/resource[0-9] w,
+  #nokms#@{sys}/devices/@{pci_bus}/*/*/resource[0-9] w,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/Xorg>
--- a/profiles/apparmor.d/abstractions/dri-enumerate
+++ b/profiles/apparmor.d/abstractions/dri-enumerate
@ -6,7 +6,7 @@
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).

-  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+  @{sys}/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,


  # Include additions to the abstraction
--- a/profiles/apparmor.d/abstractions/mesa
+++ b/profiles/apparmor.d/abstractions/mesa
@ -12,7 +12,7 @@
  # (src/intel/perf/gen_perf.c, load_oa_metrics())
  @{PROC}/sys/dev/i915/perf_stream_paranoid r,

-  @{sys}/devices/pci[0-9]*/**/{revision,config} r,
+  @{sys}/devices/@{pci_bus}/**/{revision,config} r,

  # User files
  owner @{HOME}/.cache/ w, # if user clears all caches
--- a/profiles/apparmor.d/abstractions/opencl-intel
+++ b/profiles/apparmor.d/abstractions/opencl-intel
@ -15,7 +15,7 @@
  # System files

  /dev/dri/card[0-9]* rw, # beignet/libcl.so
-  @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+  @{sys}/devices/@{pci_bus}/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
  /usr/lib/@{multiarch}/beignet/** r,


--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@ -19,7 +19,7 @@
  # libnvidia-opencl.so rules:
  /dev/nvidia-uvm rw,
  /dev/nvidia-uvm-tools rw,
-  @{sys}/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/@{pci_bus}/**/config r,
  @{sys}/devices/system/memory/block_size_bytes r,
  /usr/share/nvidia/** r,
  @{PROC}/devices r,
--- a/profiles/apparmor.d/abstractions/opencl-pocl
+++ b/profiles/apparmor.d/abstractions/opencl-pocl
@ -16,10 +16,10 @@
  @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
  @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
  @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
-  @{sys}/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
-  @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
-  @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
-  @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/@{pci_bus}/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
+  @{sys}/devices/@{pci_bus}/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+  @{sys}/devices/@{pci_bus}/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/@{pci_bus}/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
  @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
  @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
  @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
--- a/profiles/apparmor.d/abstractions/video
+++ b/profiles/apparmor.d/abstractions/video
@ -9,8 +9,8 @@

  owner /dev/shm/libv4l-* rw,
        /dev/video[0-9]* rw,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r,
+  @{sys}/devices/@{pci_bus}/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
+  @{sys}/devices/@{pci_bus}/**/usb[0-9]/**/{modalias,speed} r,

  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
--- a/profiles/apparmor.d/abstractions/vulkan
+++ b/profiles/apparmor.d/abstractions/vulkan
@ -9,10 +9,10 @@
  /etc/vulkan/icd.d/{,*.json} r,
  /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
  # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
-  @{sys}/devices/pci[0-9]*/*/drm/ r,
-  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
-  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
-  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/@{pci_bus}/*/drm/ r,
+  @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/@{pci_bus}/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
  /usr/share/egl/egl_external_platform.d/{,*} r,
  /usr/share/glvnd/egl_vendor.d/{,*} r,
  /usr/share/vulkan/icd.d/{,*.json} r,
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@ -23,7 +23,7 @@ profile lsblk /usr/bin/lsblk {
  @{sys}/class/block/ r,
  @{sys}/dev/block/ r,

-  @{sys}/devices/pci@{hex4}:@{hex2}/** r,
+  @{sys}/devices/@{pci_bus}/** r,
  @{sys}/devices/virtual/** r,
  @{sys}/devices/platform/** r,

--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@ -28,7 +28,7 @@ profile nvidia_modprobe {
  /dev/nvidia-uvm w,
  /dev/nvidia-uvm-tools w,
  @{sys}/bus/pci/devices/ r,
-  @{sys}/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/@{pci_bus}/**/config r,
  @{PROC}/devices r,
  @{PROC}/driver/nvidia/params r,
  @{PROC}/modules r,
--- a/profiles/apparmor.d/tunables/system
+++ b/profiles/apparmor.d/tunables/system
@ -96,4 +96,7 @@
@{word32}=@{word16}@{word16}
@{word64}=@{word32}@{word32}

+# Shortcut for PCI bus (e.g., /sys/devices/@{pci_bus}/**)
+@{pci_bus}=pci@{hex4}:@{hex2}
+
 include if exists <tunables/system.d>
--- a/profiles/apparmor.d/wpa_supplicant
+++ b/profiles/apparmor.d/wpa_supplicant
@ -131,7 +131,7 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant {
  network netlink raw,
  network packet dgram,

-  @{sys}/devices/pci[0-9]*:[0-9]*/**/ieee80211/phy[0-9]*/name r,
+  @{sys}/devices/@{pci_bus}/**/ieee80211/phy[0-9]*/name r,
  # Might also need @{sys}/class/ieee80211/ r,
  # phy* files inside are symlinks to the pci directory but directory
  # listing might be needed to enumerate and resolve symlinks
--- a/profiles/apparmor/profiles/extras/chromium_browser
+++ b/profiles/apparmor/profiles/extras/chromium_browser
@ -153,25 +153,25 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
  /sys/devices/system/cpu/possible r,
  /sys/devices/system/cpu/present r,
  /sys/devices/system/node/node*/meminfo r,
-  /sys/devices/pci[0-9]*/**/bConfigurationValue r,
-  /sys/devices/pci[0-9]*/**/boot_vga r,
-  /sys/devices/pci[0-9]*/**/busnum r,
-  /sys/devices/pci[0-9]*/**/class r,
-  /sys/devices/pci[0-9]*/**/config r,
-  /sys/devices/pci[0-9]*/**/descriptors r,
-  /sys/devices/pci[0-9]*/**/device r,
-  /sys/devices/pci[0-9]*/**/devnum r,
-  /sys/devices/pci[0-9]*/**/irq r,
-  /sys/devices/pci[0-9]*/**/manufacturer r,
-  /sys/devices/pci[0-9]*/**/product r,
-  /sys/devices/pci[0-9]*/**/resource r,
-  /sys/devices/pci[0-9]*/**/revision r,
-  /sys/devices/pci[0-9]*/**/serial r,
-  /sys/devices/pci[0-9]*/**/subsystem_device r,
-  /sys/devices/pci[0-9]*/**/subsystem_vendor r,
-  /sys/devices/pci[0-9]*/**/vendor r,
-  /sys/devices/pci[0-9]*/**/removable r,
-  /sys/devices/pci[0-9]*/**/block/**/size r,
+  /sys/devices/@{pci_bus}/**/bConfigurationValue r,
+  /sys/devices/@{pci_bus}/**/boot_vga r,
+  /sys/devices/@{pci_bus}/**/busnum r,
+  /sys/devices/@{pci_bus}/**/class r,
+  /sys/devices/@{pci_bus}/**/config r,
+  /sys/devices/@{pci_bus}/**/descriptors r,
+  /sys/devices/@{pci_bus}/**/device r,
+  /sys/devices/@{pci_bus}/**/devnum r,
+  /sys/devices/@{pci_bus}/**/irq r,
+  /sys/devices/@{pci_bus}/**/manufacturer r,
+  /sys/devices/@{pci_bus}/**/product r,
+  /sys/devices/@{pci_bus}/**/resource r,
+  /sys/devices/@{pci_bus}/**/revision r,
+  /sys/devices/@{pci_bus}/**/serial r,
+  /sys/devices/@{pci_bus}/**/subsystem_device r,
+  /sys/devices/@{pci_bus}/**/subsystem_vendor r,
+  /sys/devices/@{pci_bus}/**/vendor r,
+  /sys/devices/@{pci_bus}/**/removable r,
+  /sys/devices/@{pci_bus}/**/block/**/size r,
  /sys/devices/virtual/block/**/removable r,
  /sys/devices/virtual/block/**/size r,
  /sys/devices/virtual/tty/tty*/active r,
--- a/profiles/apparmor/profiles/extras/firefox
+++ b/profiles/apparmor/profiles/extras/firefox
@ -194,11 +194,11 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
  @{PROC}/sys/vm/overcommit_memory r,
  @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r,
  # prevent crash LP: #1931602
-  /sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r,
+  /sys/devices/@{pci_bus}/**/{uevent,resource,irq,class} r,
  /sys/devices/platform/**/uevent r,
-  /sys/devices/pci*/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r,
-  /sys/devices/pci*/**/{,subsystem_}device r,
-  /sys/devices/pci*/**/{,subsystem_}vendor r,
+  /sys/devices/@{pci_bus}/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r,
+  /sys/devices/@{pci_bus}/**/{,subsystem_}device r,
+  /sys/devices/@{pci_bus}/**/{,subsystem_}vendor r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  owner @{HOME}/.cache/thumbnails/** rw,

--- a/profiles/apparmor/profiles/extras/usr.bin.wireshark
+++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark
@ -66,7 +66,7 @@ include <tunables/global>
  @{PROC}/@{pid}/net/dev r,

  # Backported from the dri-enumerate abstraction, available in AppArmor 2.13
-  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+  /sys/devices/@{pci_bus}/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,

  /tmp/.X[0-9]*-lock r,