Re: [libvirt] [PATCH] virt-aa-helper: fix libusb access to udev usb descriptions

In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the libusb access to properly detect the device/bus ids was fixed. The path /run/udev/data/+usb* contains a subset of that information we already allow to be read and are currently not needed for the function qemu needs libusb for. But on the init of libusb all those files are still read so a lot of apparmor denials can be seen when using usb host devices, like: apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2- 1.2:1.0" comm="qemu-system-x86" requested_mask="r" denied_mask="r" Today we could silence the warnings with a deny rule without breaking current use cases. But since the data in there is only a subset of those it can read already it is no additional information exposure. And on the other hand a future udev/libusb/qemu combination might need it so allow the access in the default apparmor profile. Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; --- examples/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index b341e31..97dd2d4 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -32,6 +32,7 @@ # libusb needs udev data about usb devices (~equal to content of lsusb -v) /run/udev/data/c16[6,7]* r, /run/udev/data/c18[0,8,9]* r, + /run/udev/data/+usb* r,