From nobody Sun Apr 28 05:26:18 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1508935361051114.58788927640342;
 Wed, 25 Oct 2017 05:42:41 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 2028B5D9EE;
	Wed, 25 Oct 2017 12:42:39 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B9F7617CE8;
	Wed, 25 Oct 2017 12:42:37 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 79A6D14B1B;
	Wed, 25 Oct 2017 12:42:35 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v9PCgFdU028545 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 25 Oct 2017 08:42:15 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id BF0196FAB0; Wed, 25 Oct 2017 12:42:15 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com
	[10.5.110.28])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B72916FAAD
	for <libvir-list@redhat.com>; Wed, 25 Oct 2017 12:42:13 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A740C7E380
	for <libvir-list@redhat.com>; Wed, 25 Oct 2017 12:42:12 +0000 (UTC)
Received: from 1.general.paelzer.uk.vpn ([10.172.196.172]
	helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1e7L0d-0001kZ-AS; Wed, 25 Oct 2017 12:42:11 +0000
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2028B5D9EE
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 2028B5D9EE
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A740C7E380
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
	dmarc=fail (p=none dis=none) header.from=canonical.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=none
	smtp.mailfrom=christian.ehrhardt@canonical.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com A740C7E380
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: Libvirt Devel <libvir-list@redhat.com>
Date: Wed, 25 Oct 2017 14:42:08 +0200
Message-Id: 
 <1508935328-2165-1-git-send-email-christian.ehrhardt@canonical.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.28]); Wed, 25 Oct 2017 12:42:12 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.28]);
	Wed, 25 Oct 2017 12:42:12 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -2.321  (RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,
	RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112
	youngberry.canonical.com <christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.28
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: libvir-list@redhat.com
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Subject: [libvirt] [PATCH] virt-aa-helper: fix libusb access to udev usb
	descriptions
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]);
 Wed, 25 Oct 2017 12:42:39 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

In bf3a4140 "virt-aa-helper: fix libusb access to udev usb data" the
libusb access to properly detect the device/bus ids was fixed.

The path /run/udev/data/+usb* contains a subset of that information we
already allow to be read and are currently not needed for the function
qemu needs libusb for. But on the init of libusb all those files are
still read so a lot of apparmor denials can be seen when using usb host
devices, like:
  apparmor=3D"DENIED" operation=3D"open" name=3D"/run/udev/data/+usb:2-1.2:=
1.0"
  comm=3D"qemu-system-x86" requested_mask=3D"r" denied_mask=3D"r"

Today we could silence the warnings with a deny rule without breaking
current use cases. But since the data in there is only a subset of those
it can read already it is no additional information exposure. And on the
other hand a future udev/libusb/qemu combination might need it so allow
the access in the default apparmor profile.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index b341e31..97dd2d4 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -32,6 +32,7 @@
   # libusb needs udev data about usb devices (~equal to content of lsusb -=
v)
   /run/udev/data/c16[6,7]* r,
   /run/udev/data/c18[0,8,9]* r,
+  /run/udev/data/+usb* r,
=20
   # WARNING: this gives the guest direct access to host hardware and speci=
fic
   # portions of shared memory. This is required for sound using ALSA with =
kvm,
--=20
2.7.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list