On 10/25/2017 02:42 PM, Christian Ehrhardt wrote: > In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the > libusb access to properly detect the device/bus ids was fixed. > > The path /run/udev/data/+usb* contains a subset of that information we > already allow to be read and are currently not needed for the function > qemu needs libusb for. But on the init of libusb all those files are > still read so a lot of apparmor denials can be seen when using usb host > devices, like: > apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2-1.2:1.0" > comm="qemu-system-x86" requested_mask="r" denied_mask="r" > > Today we could silence the warnings with a deny rule without breaking > current use cases. But since the data in there is only a subset of those > it can read already it is no additional information exposure. And on the > other hand a future udev/libusb/qemu combination might need it so allow > the access in the default apparmor profile. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > examples/apparmor/libvirt-qemu | 1 + > 1 file changed, 1 insertion(+) > ACKed and pushed. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
