From 7b8232fe29fc05a75b280d6a02dc72fbfe32139d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair@canonical.com>
Date: Wed, 16 Apr 2025 09:05:43 +0200
Subject: [PATCH] lsblk profile: Minor fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107402
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455

Allow `/usr/bin/lsblk mr` to make this profile work from confined
profiles. Also, allow css devices to work properly with lsblk.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
 profiles/apparmor.d/lsblk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk
index c9bbbf2e2..10d908ad6 100644
--- a/profiles/apparmor.d/lsblk
+++ b/profiles/apparmor.d/lsblk
@@ -18,6 +18,8 @@ profile lsblk /usr/bin/lsblk {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  /usr/bin/lsblk mr,
+
   @{sys}/block/ r,
   @{sys}/class/block/ r,
   @{sys}/dev/block/ r,
@@ -29,6 +31,9 @@ profile lsblk /usr/bin/lsblk {
   # Needed for disks over network e.g. Hyper-V VMs (including Azure), IBM Power, ...
   @{sys}/devices/**/host@{int}/** r,
 
+  # Needed for channel subsystem for IBM Z
+  @{sys}/devices/css[0-9]/** r,
+
   /dev/sr[0-9]* rk,
 
   @{run}/udev/data/** r,