diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 1a85a010..85f8f6b9 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -5,24 +5,11 @@ abi , - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} rwk, + include - @{sys}/class/ r, - @{sys}/class/usbmisc/ r, + /dev/bus/usb/@{int}/@{int} wk, - @{sys}/bus/ r, - @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} rw, - - # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{sys}/devices/**/usb@{int}/{,**} w, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read new file mode 100644 index 00000000..6bd0c801 --- /dev/null +++ b/apparmor.d/abstractions/devices-usb-read @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} r, + + @{sys}/class/ r, + @{sys}/class/usbmisc/ r, + + @{sys}/bus/ r, + @{sys}/bus/usb/ r, + @{sys}/bus/usb/devices/{,**} r, + + @{sys}/devices/**/usb@{int}/{,**} r, + + # Udev data about usb devices (~equal to content of lsusb -v) + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb index b628b366..40e902a8 100644 --- a/apparmor.d/profiles-g-l/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -11,7 +11,7 @@ include profile lsusb @{exec_path} { include include - include + include capability net_admin,