Comment 3 for bug 1993304

Revision history for this message
Jelle van der Waa (jelle-vdwaa) wrote (last edit ):

Hi,

Sorry for the lack of information:

Ubuntu version: 22.10
Kernel: Linux ubuntu 5.19.0-19-generic

$ cat /etc/apparmor.d/abstractions/libvirt-qemu
  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/**/usb[0-9]*/** r,
  # libusb needs udev data about usb devices (~equal to content of lsusb -v)
  /run/udev/data/+usb* r,
  /run/udev/data/c16[6,7]* r,
  /run/udev/data/c18[0,8,9]* r,

root@ubuntu:~# ls -lh /sys/bus/usb/devices/1-0:1.0
lrwxrwxrwx 1 root root 0 Oct 19 18:39 /sys/bus/usb/devices/1-0:1.0 -> ../../../devices/pci0000:00/0000:00:01.2/usb1/1-0:1.0

So that would be: /sys/devices/pci0000\:00/0000\:00\:01.2/usb1/

And indeed that should be handled by "/sys/devices/**/usb[0-9]*/** r,".

Fuller output:

[ 40.741731] audit: type=1400 audit(1666205557.536:35): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b" pid=7416 comm="apparmor_parser"
[ 40.775021] audit: type=1400 audit(1666205557.568:36): apparmor="DENIED" operation="getattr" class="file" profile="libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b" name="/sys/bus/usb/devices/usb1" pid=4814 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[ 40.775053] audit: type=1400 audit(1666205557.568:37): apparmor="DENIED" operation="getattr" class="file" profile="libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b" name="/sys/bus/usb/devices/1-0:1.0" pid=4814 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

root@ubuntu:~# cat /etc/apparmor.d/libvirt/libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b
#include <tunables/global>

profile libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-b14c0d3c-1c39-4d8e-ab57-6434b4efa59b.files>

}

Note, this happened in Cockpit CI

After we updated our ubuntu 22.10 image:

https://logs.cockpit-project.org/logs/image-refresh-3953-20221014-083434/log (yes, this doensn't have a valid CA)

Notable changes:

  libvirt (8.6.0-0ubuntu1 -> 8.6.0-0ubuntu3)
  linux (5.19.0-15.15 -> 5.19.0-19.19)
  apparmor (3.0.7-1ubuntu1 -> 3.0.7-1ubuntu2)