Re: [PATCH] apparmor: allow getattr on usb devices

On Mon, Nov 21, 2022 at 4:51 PM Michal Prívozník <mprivozn(a)redhat.com&gt; wrote: > > On 11/17/22 09:42, christian.ehrhardt(a)canonical.com wrote: >> From: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; >> >> For the handling of usb we already allow plenty of read access, >> but so far /sys/bus/usb/devices only needed read access to the directory >> to enumerate the symlinks in there that point to the actual entries via >> relative links to ../../../devices/. >> >> But in more recent systemd with updated libraries a program might do >> getattr calls on those symlinks. And while symlinks in apparmor usually >> do not matter, as it is the effective target of an access that has to be >> allowed, here the getattr calls are on the links themselves. >> >> On USB hostdev usage that causes a set of denials like: >> apparmor="DENIED" operation="getattr" class="file" >> name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86" >> requested_mask="r" denied_mask="r" ... >> >> It is safe to read the links, therefore add a rule to allow it to >> the block of rules that covers the usb related access. >> >> Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt; >> --- >> src/security/apparmor/libvirt-qemu | 1 + >> 1 file changed, 1 insertion(+) >> > > Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt; Thank you for having a look, we are not yet in the 8.10 freeze and the case is rather straightforward, therefore I have pushed it now.