Re: [PATCH] apparmor: allow getattr on usb devices

On 11/17/22 09:42, christian.ehrhardt(a)canonical.com wrote: > From: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; > > For the handling of usb we already allow plenty of read access, > but so far /sys/bus/usb/devices only needed read access to the directory > to enumerate the symlinks in there that point to the actual entries via > relative links to ../../../devices/. > > But in more recent systemd with updated libraries a program might do > getattr calls on those symlinks. And while symlinks in apparmor usually > do not matter, as it is the effective target of an access that has to be > allowed, here the getattr calls are on the links themselves. > > On USB hostdev usage that causes a set of denials like: > apparmor="DENIED" operation="getattr" class="file" > name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86" > requested_mask="r" denied_mask="r" ... > > It is safe to read the links, therefore add a rule to allow it to > the block of rules that covers the usb related access. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; > --- > src/security/apparmor/libvirt-qemu | 1 + > 1 file changed, 1 insertion(+) > Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt;

Michal