Ubuntu version: 22.10
Kernel: Linux ubuntu 5.19.0-19-generic
$ cat /etc/apparmor.d/abstractions/libvirt-qemu
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
/sys/devices/**/usb[0-9]*/** r,
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
/run/udev/data/+usb* r,
/run/udev/data/c16[6,7]* r,
/run/udev/data/c18[0,8,9]* r,
root@ubuntu:~# ls -lh /sys/bus/usb/devices/1-0:1.0
lrwxrwxrwx 1 root root 0 Oct 19 18:39 /sys/bus/usb/devices/1-0:1.0 -> ../../../devices/pci0000:00/0000:00:01.2/usb1/1-0:1.0
So that would be: /sys/devices/pci0000\:00/0000\:00\:01.2/usb1/
And indeed that should be handled by "/sys/devices/**/usb[0-9]*/** r,".
Hi,
Sorry for the lack of information:
Ubuntu version: 22.10
Kernel: Linux ubuntu 5.19.0-19-generic
$ cat /etc/apparmor. d/abstractions/ libvirt- qemu bus/usb/ devices/ r, devices/ **/usb[ 0-9]*/* * r, udev/data/ +usb* r, udev/data/ c16[6,7] * r, udev/data/ c18[0,8, 9]* r,
# For hostdev access. The actual devices will be added dynamically
/sys/
/sys/
# libusb needs udev data about usb devices (~equal to content of lsusb -v)
/run/
/run/
/run/
root@ubuntu:~# ls -lh /sys/bus/ usb/devices/ 1-0:1.0 usb/devices/ 1-0:1.0 -> ../../. ./devices/ pci0000: 00/0000: 00:01.2/ usb1/1- 0:1.0
lrwxrwxrwx 1 root root 0 Oct 19 18:39 /sys/bus/
So that would be: /sys/devices/ pci0000\ :00/0000\ :00\:01. 2/usb1/
And indeed that should be handled by "/sys/devices/ **/usb[ 0-9]*/* * r,".
Fuller output:
[ 40.741731] audit: type=1400 audit(166620555 7.536:35) : apparmor="STATUS" operation= "profile_ replace" profile= "unconfined" name="libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b" pid=7416 comm="apparmor_ parser" 7.568:36) : apparmor="DENIED" operation="getattr" class="file" profile= "libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b" name="/ sys/bus/ usb/devices/ usb1" pid=4814 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 7.568:37) : apparmor="DENIED" operation="getattr" class="file" profile= "libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b" name="/ sys/bus/ usb/devices/ 1-0:1.0" pid=4814 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[ 40.775021] audit: type=1400 audit(166620555
[ 40.775053] audit: type=1400 audit(166620555
root@ubuntu:~# cat /etc/apparmor. d/libvirt/ libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b
#include <tunables/global>
profile libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b flags=( attach_ disconnected) { libvirt- qemu> libvirt- b14c0d3c- 1c39-4d8e- ab57-6434b4efa5 9b.files>
#include <abstractions/
#include <libvirt/
}
Note, this happened in Cockpit CI
After we updated our ubuntu 22.10 image:
https:/ /logs.cockpit- project. org/logs/ image-refresh- 3953-20221014- 083434/ log (yes, this doensn't have a valid CA)
Notable changes:
libvirt (8.6.0-0ubuntu1 -> 8.6.0-0ubuntu3)
linux (5.19.0-15.15 -> 5.19.0-19.19)
apparmor (3.0.7-1ubuntu1 -> 3.0.7-1ubuntu2)