From d2f7ee0bb4fcbf4f355b1ad1516bddfde0353dd2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 10 Nov 2024 19:10:18 +0000
Subject: [PATCH] feat(abs): add the devices-usb-read abstraction.

---
 apparmor.d/abstractions/devices-usb      | 19 +++-------------
 apparmor.d/abstractions/devices-usb-read | 29 ++++++++++++++++++++++++
 apparmor.d/profiles-g-l/lsusb            |  2 +-
 3 files changed, 33 insertions(+), 17 deletions(-)
 create mode 100644 apparmor.d/abstractions/devices-usb-read

diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb
index 1a85a010..85f8f6b9 100644
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@@ -5,24 +5,11 @@
 
   abi <abi/4.0>,
 
-  /dev/ r,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/bus/usb/@{int}/@{int} rwk,
+  include <abstractions/devices-usb-read>
 
-  @{sys}/class/ r,
-  @{sys}/class/usbmisc/ r,
+  /dev/bus/usb/@{int}/@{int} wk,
 
-  @{sys}/bus/ r,
-  @{sys}/bus/usb/ r,
-  @{sys}/bus/usb/devices/{,**} r,
-
-  @{sys}/devices/**/usb@{int}/{,**} rw,
-
-  # Udev data about usb devices (~equal to content of lsusb -v)
-  @{run}/udev/data/+usb:* r,
-  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
-  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
+  @{sys}/devices/**/usb@{int}/{,**} w,
 
   include if exists <abstractions/devices-usb.d>
 
diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read
new file mode 100644
index 00000000..6bd0c801
--- /dev/null
+++ b/apparmor.d/abstractions/devices-usb-read
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/@{int}/ r,
+  /dev/bus/usb/@{int}/@{int} r,
+
+  @{sys}/class/ r,
+  @{sys}/class/usbmisc/ r,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/usb/ r,
+  @{sys}/bus/usb/devices/{,**} r,
+
+  @{sys}/devices/**/usb@{int}/{,**} r,
+
+  # Udev data about usb devices (~equal to content of lsusb -v)
+  @{run}/udev/data/+usb:* r,
+  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
+  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
+
+  include if exists <abstractions/devices-usb-read.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb
index b628b366..40e902a8 100644
--- a/apparmor.d/profiles-g-l/lsusb
+++ b/apparmor.d/profiles-g-l/lsusb
@@ -11,7 +11,7 @@ include <tunables/global>
 profile lsusb @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/devices-usb>
+  include <abstractions/devices-usb-read>
 
   capability net_admin,