On Wed, 2017-10-25 at 14:42 +0200, Christian Ehrhardt wrote: > In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the > libusb access to properly detect the device/bus ids was fixed. > > The path /run/udev/data/+usb* contains a subset of that information > we > already allow to be read and are currently not needed for the > function > qemu needs libusb for. But on the init of libusb all those files are > still read so a lot of apparmor denials can be seen when using usb > host > devices, like: > apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2- > 1.2:1.0" > comm="qemu-system-x86" requested_mask="r" denied_mask="r" > > Today we could silence the warnings with a deny rule without breaking > current use cases. But since the data in there is only a subset of > those > it can read already it is no additional information exposure. And on > the > other hand a future udev/libusb/qemu combination might need it so > allow > the access in the default apparmor profile. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > examples/apparmor/libvirt-qemu | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > index b341e31..97dd2d4 100644 > --- a/examples/apparmor/libvirt-qemu > +++ b/examples/apparmor/libvirt-qemu > @@ -32,6 +32,7 @@ > # libusb needs udev data about usb devices (~equal to content of > lsusb -v) > /run/udev/data/c16[6,7]* r, > /run/udev/data/c18[0,8,9]* r, > + /run/udev/data/+usb* r, This read-only access seems perfectly fine to me. +1 -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
