[libvirt] [PATCH] virt-aa-helper: fix libusb access to udev usb descriptions
Jamie Strandboge
jamie at canonical.com
Wed Oct 25 18:22:20 UTC 2017
On Wed, 2017-10-25 at 14:42 +0200, Christian Ehrhardt wrote:
> In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the
> libusb access to properly detect the device/bus ids was fixed.
>
> The path /run/udev/data/+usb* contains a subset of that information
> we
> already allow to be read and are currently not needed for the
> function
> qemu needs libusb for. But on the init of libusb all those files are
> still read so a lot of apparmor denials can be seen when using usb
> host
> devices, like:
> apparmor="DENIED" operation="open" name="/run/udev/data/+usb:2-
> 1.2:1.0"
> comm="qemu-system-x86" requested_mask="r" denied_mask="r"
>
> Today we could silence the warnings with a deny rule without breaking
> current use cases. But since the data in there is only a subset of
> those
> it can read already it is no additional information exposure. And on
> the
> other hand a future udev/libusb/qemu combination might need it so
> allow
> the access in the default apparmor profile.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> examples/apparmor/libvirt-qemu | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/examples/apparmor/libvirt-qemu
> b/examples/apparmor/libvirt-qemu
> index b341e31..97dd2d4 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -32,6 +32,7 @@
> # libusb needs udev data about usb devices (~equal to content of
> lsusb -v)
> /run/udev/data/c16[6,7]* r,
> /run/udev/data/c18[0,8,9]* r,
> + /run/udev/data/+usb* r,
This read-only access seems perfectly fine to me. +1
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20171025/574bbbe9/attachment-0001.sig>
More information about the libvir-list
mailing list