feat(abs): revisit and restrict the devices-usb abs.

apparmor.d/abstractions/devices-usb

@@ -3,13 +3,22 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow raw access to all connected USB devices
+
   abi <abi/4.0>,
 
   include <abstractions/devices-usb-read>
 
-  /dev/bus/usb/@{int}/@{int} wk,
+  @{PROC}/tty/drivers r,
 
-  @{sys}/devices/**/usb@{int}/{,**} w,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk,
+
+  # Allow access to all ttyUSB devices too
+  /dev/ttyACM@{int} wk,
+  /dev/ttyUSB@{int} wk,
+
+  # Allow raw access to USB printers (i.e. for receipt printers in POS systems).
+  /dev/usb/lp@{int} wk,
 
   include if exists <abstractions/devices-usb.d>
 

apparmor.d/abstractions/devices-usb-read

@@ -3,26 +3,29 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  abi <abi/4.0>,
+# Allow detection of usb devices. Leaks plugged in USB device info
 
-  /dev/ r,
+  abi <abi/4.0>,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/bus/usb/@{int}/@{int} r,
 
   @{sys}/class/ r,
   @{sys}/class/usbmisc/ r,
 
   @{sys}/bus/ r,
   @{sys}/bus/usb/ r,
-  @{sys}/bus/usb/devices/{,**} r,
+  @{sys}/bus/usb/devices/ r,
-
+  @{sys}/devices/**/usb@{int}/ r,
-  @{sys}/devices/**/usb@{int}/{,**} r,
+  @{sys}/devices/**/usb@{int}/** r,
 
   # Udev data about usb devices (~equal to content of lsusb -v)
   @{run}/udev/data/+usb:* r,              # Identifies all USB devices
-  @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
+  @{run}/udev/data/b180:@{int} r,         # USB block devices
-  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
+  @{run}/udev/data/c16{6,7}:@{d} r,       # ACM USB modems
+  @{run}/udev/data/c18{0,8,9}:@{int} r,   # USB character devices
+
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/@{int}/ r,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r,
 
   include if exists <abstractions/devices-usb-read.d>