From nobody Tue May 14 03:10:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1668674546; cv=none; d=zohomail.com; s=zohoarc; b=lXsRkDhso6qwhNq4fQDe9DcnFNwL5HrbupiZ9SLPkIwCIjxer67Bipi9qfTs+qYFN1iDpplcB9kDNsgRAUxwPftJoZbuPx/gZOYk2HWNJYUWsrZZY7VVbCGTVNm3r6lygxO5M8cW1i20yU8slAQPBCaYgU/5BBDHSs9h76uvESE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1668674546; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=tuWVP098SdR1URpklV5KpofxHPqbkzwCXseFWeSqwH4=; b=c4GUVtNGYLEcDPUcyJLosfnBOndzzx/b2AoKejPlrHRJng4ssZuT0sw/1LilNjcMTEmpjUSQr2pc6RrntiqPYTJyotPUVGb8U0a/MeFr9oR9lJlPERnpvZJl3a12HENpTcjs7323oPLUheT45NDuItkrKa9Bot6HUdjPNaHKL3w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1668674546552463.31644380666376; Thu, 17 Nov 2022 00:42:26 -0800 (PST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-500-Qmh0gyl8Nai1NBq6mIUePw-1; Thu, 17 Nov 2022 03:42:21 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CCEB7857FAB; Thu, 17 Nov 2022 08:42:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6CBA5C23F41; Thu, 17 Nov 2022 08:42:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 405B519465A3; Thu, 17 Nov 2022 08:42:17 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 66F1319465A2 for ; Thu, 17 Nov 2022 08:42:16 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 4B3B62024CCA; Thu, 17 Nov 2022 08:42:16 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 439492024CC8 for ; Thu, 17 Nov 2022 08:42:16 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 25C7E858F13 for ; Thu, 17 Nov 2022 08:42:16 +0000 (UTC) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-664-oWePRcQFOS2jjnv0THc7fw-1; Thu, 17 Nov 2022 03:42:14 -0500 Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B42FC3F11B for ; Thu, 17 Nov 2022 08:42:12 +0000 (UTC) Received: by mail-wr1-f71.google.com with SMTP id h26-20020adfaa9a000000b002364ad63bbcso409973wrc.10 for ; Thu, 17 Nov 2022 00:42:12 -0800 (PST) Received: from localhost.localdomain ([2a02:6d40:39e5:dd00:5de6:6ceb:6b31:8e90]) by smtp.gmail.com with ESMTPSA id e16-20020adffd10000000b00241b933f8cesm312927wrr.74.2022.11.17.00.42.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 00:42:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668674545; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=tuWVP098SdR1URpklV5KpofxHPqbkzwCXseFWeSqwH4=; b=MUgupwDPHqP1q0FIdzmBgTxFTmlhPq0+EyAWJlKyZF0rSi5hYqJ0ea0HI62IYsdOwX10bt xkS7TX/vHqyMnvDllCH3omUMoLqRp/Aa3BhD3gPE5m4dR/MBXfAx/PLAYayeTYuzmxi/pg SkdngNvSqCxrCgDagAls05Q5Ht0RFS0= X-MC-Unique: Qmh0gyl8Nai1NBq6mIUePw-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: oWePRcQFOS2jjnv0THc7fw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i6AtMO3f12Hi5Wsw9ER9z1LilD9OjVP30qWEbYv51Lc=; b=HBDgVyiUAw+8XlBvTbe7yAiZAowCyY8SI6lvDhTWi5nbo480zZbhTb26gAsz3Yir8d A9cbKlCMcE8q7YJk4u10YDZ7rzXmPWjWoBgdz39LgG7W7y+ckcu7KbKX2vc4NxCXQpJO Yb/t2JuAcSyhCRYOxOBMb7stKNwsryTrf6nGlMA60LbhGqAk3Id3NzobPOJdMpXg/Xgx Kih6jYS0fFmJlNUiaWxH9f0W77LcuVQVavhAQexZb4ZJI8dfrRjj8OAmGM+NQ5ta5UnL MaiA+NqGaKkbgsyx5N4HGuSwVkl8K5MJO1zKIVmZAlUgdgw4TKCXk1UI1Ea9pzeNsRaE fpAQ== X-Gm-Message-State: ANoB5pkcByt3uI6CQm7ADCGaeTCccmyMcaCp2Y/IRBuKbFTQm9qGfDc+ pUQpP98JNuA1OFmfoweE4R4VzmUCXmh9C7sQANpZlU6ahyeIWhslMe9s1iymGd4u3GkJbAOkIhw T/gETTWDWt4PQzsqzxdXC75TiSJqLJXuZgA== X-Received: by 2002:a05:600c:3d18:b0:3cf:b7bf:352d with SMTP id bh24-20020a05600c3d1800b003cfb7bf352dmr921295wmb.106.1668674532124; Thu, 17 Nov 2022 00:42:12 -0800 (PST) X-Google-Smtp-Source: AA0mqf6lK4qw0wgoLtKtzPUuyxfHoNpo+gp/zPGRiQD+r319n0DV8LnXRBr833kfuWUHRFfufIqvUg== X-Received: by 2002:a05:600c:3d18:b0:3cf:b7bf:352d with SMTP id bh24-20020a05600c3d1800b003cfb7bf352dmr921285wmb.106.1668674531896; Thu, 17 Nov 2022 00:42:11 -0800 (PST) From: christian.ehrhardt@canonical.com To: libvir-list@redhat.com Subject: [PATCH] apparmor: allow getattr on usb devices Date: Thu, 17 Nov 2022 09:42:06 +0100 Message-Id: <20221117084206.3281415-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Christian Ehrhardt Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1668674547348100001 Content-Type: text/plain; charset="utf-8"; x-default="true" From: Christian Ehrhardt For the handling of usb we already allow plenty of read access, but so far /sys/bus/usb/devices only needed read access to the directory to enumerate the symlinks in there that point to the actual entries via relative links to ../../../devices/. But in more recent systemd with updated libraries a program might do getattr calls on those symlinks. And while symlinks in apparmor usually do not matter, as it is the effective target of an access that has to be allowed, here the getattr calls are on the links themselves. On USB hostdev usage that causes a set of denials like: apparmor=3D"DENIED" operation=3D"getattr" class=3D"file" name=3D"/sys/bus/usb/devices/usb1" comm=3D"qemu-system-x86" requested_mask=3D"r" denied_mask=3D"r" ... It is safe to read the links, therefore add a rule to allow it to the block of rules that covers the usb related access. Signed-off-by: Christian Ehrhardt Reviewed-by: Michal Privoznik --- src/security/apparmor/libvirt-qemu | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 02ee273e7e..d0289b8943 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -42,6 +42,7 @@ =20 # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/* r, /sys/devices/**/usb[0-9]*/** r, # libusb needs udev data about usb devices (~equal to content of lsusb -= v) /run/udev/data/+usb* r, --=20 2.38.1