On Mon, Nov 21, 2022 at 4:51 PM Michal Prívozník <mpriv...@redhat.com> wrote: > > On 11/17/22 09:42, christian.ehrha...@canonical.com wrote: > > From: Christian Ehrhardt <christian.ehrha...@canonical.com> > > > > For the handling of usb we already allow plenty of read access, > > but so far /sys/bus/usb/devices only needed read access to the directory > > to enumerate the symlinks in there that point to the actual entries via > > relative links to ../../../devices/. > > > > But in more recent systemd with updated libraries a program might do > > getattr calls on those symlinks. And while symlinks in apparmor usually > > do not matter, as it is the effective target of an access that has to be > > allowed, here the getattr calls are on the links themselves. > > > > On USB hostdev usage that causes a set of denials like: > > apparmor="DENIED" operation="getattr" class="file" > > name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86" > > requested_mask="r" denied_mask="r" ... > > > > It is safe to read the links, therefore add a rule to allow it to > > the block of rules that covers the usb related access. > > > > Signed-off-by: Christian Ehrhardt <christian.ehrha...@canonical.com> > > --- > > src/security/apparmor/libvirt-qemu | 1 + > > 1 file changed, 1 insertion(+) > > > > Reviewed-by: Michal Privoznik <mpriv...@redhat.com>
Thank you for having a look, we are not yet in the 8.10 freeze and the case is rather straightforward, therefore I have pushed it now. > Michal > -- Christian Ehrhardt Senior Staff Engineer, Ubuntu Server Canonical Ltd
