From db347d13de5610ddcd0338f23e082a9b0e544f74 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 13 Sep 2025 00:37:35 +0200
Subject: [PATCH] feat(abs): revisit and restrict the devices-usb abs.

---
 apparmor.d/abstractions/devices-usb      | 13 +++++++++++--
 apparmor.d/abstractions/devices-usb-read | 23 +++++++++++++----------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb
index 85f8f6b92..3361f10ec 100644
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@@ -3,13 +3,22 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow raw access to all connected USB devices
+
   abi <abi/4.0>,
 
   include <abstractions/devices-usb-read>
 
-  /dev/bus/usb/@{int}/@{int} wk,
+  @{PROC}/tty/drivers r,
 
-  @{sys}/devices/**/usb@{int}/{,**} w,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk,
+
+  # Allow access to all ttyUSB devices too
+  /dev/ttyACM@{int} wk,
+  /dev/ttyUSB@{int} wk,
+
+  # Allow raw access to USB printers (i.e. for receipt printers in POS systems).
+  /dev/usb/lp@{int} wk,
 
   include if exists <abstractions/devices-usb.d>
 
diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read
index 836a5f3c7..ea3131d59 100644
--- a/apparmor.d/abstractions/devices-usb-read
+++ b/apparmor.d/abstractions/devices-usb-read
@@ -3,26 +3,29 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  abi <abi/4.0>,
+# Allow detection of usb devices. Leaks plugged in USB device info
 
-  /dev/ r,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/bus/usb/@{int}/@{int} r,
+  abi <abi/4.0>,
 
   @{sys}/class/ r,
   @{sys}/class/usbmisc/ r,
 
   @{sys}/bus/ r,
   @{sys}/bus/usb/ r,
-  @{sys}/bus/usb/devices/{,**} r,
-
-  @{sys}/devices/**/usb@{int}/{,**} r,
+  @{sys}/bus/usb/devices/ r,
+  @{sys}/devices/**/usb@{int}/ r,
+  @{sys}/devices/**/usb@{int}/** r,
 
   # Udev data about usb devices (~equal to content of lsusb -v)
   @{run}/udev/data/+usb:* r,              # Identifies all USB devices
-  @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
-  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
+  @{run}/udev/data/b180:@{int} r,         # USB block devices
+  @{run}/udev/data/c16{6,7}:@{d} r,       # ACM USB modems
+  @{run}/udev/data/c18{0,8,9}:@{int} r,   # USB character devices
+
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/@{int}/ r,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r,
 
   include if exists <abstractions/devices-usb-read.d>