On Mon, Nov 21, 2022 at 4:51 PM Michal Prívozník <mprivozn@redhat.com> wrote:
On 11/17/22 09:42, christian.ehrhardt@canonical.com wrote:
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
For the handling of usb we already allow plenty of read access, but so far /sys/bus/usb/devices only needed read access to the directory to enumerate the symlinks in there that point to the actual entries via relative links to ../../../devices/.
But in more recent systemd with updated libraries a program might do getattr calls on those symlinks. And while symlinks in apparmor usually do not matter, as it is the effective target of an access that has to be allowed, here the getattr calls are on the links themselves.
On USB hostdev usage that causes a set of denials like: apparmor="DENIED" operation="getattr" class="file" name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86" requested_mask="r" denied_mask="r" ...
It is safe to read the links, therefore add a rule to allow it to the block of rules that covers the usb related access.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Thank you for having a look, we are not yet in the 8.10 freeze and the case is rather straightforward, therefore I have pushed it now.
Michal
-- Christian Ehrhardt Senior Staff Engineer, Ubuntu Server Canonical Ltd