From 9f700040587e69a5cc272ab607a12e7227404737 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Mon, 9 Jun 2025 12:56:36 -0700
Subject: [PATCH] profiles: add additional rules needed for lsusb under sudo +
 other flags

Fixes: https://bugs.launchpad.net/ubuntu/+source/usbutils/+bug/2110212
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
---
 profiles/apparmor.d/lsusb | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/profiles/apparmor.d/lsusb b/profiles/apparmor.d/lsusb
index a433e0bb0..8be2f8f85 100644
--- a/profiles/apparmor.d/lsusb
+++ b/profiles/apparmor.d/lsusb
@@ -16,8 +16,14 @@ include <tunables/global>
 profile lsusb /usr/bin/lsusb {
   include <abstractions/base>
 
+  /usr/bin/lsusb mr,
+
   network netlink raw,
 
+  # Needed for additional information gathered under sudo
+  capability net_admin,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} rw,
+
   /dev/ r,
   /dev/bus/usb/ r,
   @{run}/udev/data/*usb:* r,
@@ -35,6 +41,31 @@ profile lsusb /usr/bin/lsusb {
   @{sys}/devices/**/usb[0-9]**/manufacturer r,
   @{sys}/devices/**/usb[0-9]**/product r,
   @{sys}/devices/**/usb[0-9]**/serial r,
+  # needed for --tree
+  @{sys}/devices/**/usb[0-9]**/bAlternateSetting r,
+  @{sys}/devices/**/usb[0-9]**/bInterfaceClass r,
+  @{sys}/devices/**/usb[0-9]**/bInterfaceNumber r,
+  @{sys}/devices/**/usb[0-9]**/bInterfaceProtocol r,
+  @{sys}/devices/**/usb[0-9]**/bInterfaceSubClass r,
+  @{sys}/devices/**/usb[0-9]**/bNumEndpoints r,
+  @{sys}/devices/**/usb[0-9]**/bConfigurationValue r,
+  @{sys}/devices/**/usb[0-9]**/bDeviceClass r,
+  @{sys}/devices/**/usb[0-9]**/bDeviceProtocol r,
+  @{sys}/devices/**/usb[0-9]**/bDeviceSubClass r,
+  @{sys}/devices/**/usb[0-9]**/bMaxPacketSize0 r,
+  @{sys}/devices/**/usb[0-9]**/bNumConfigurations r,
+  @{sys}/devices/**/usb[0-9]**/bNumInterfaces r,
+  @{sys}/devices/**/usb[0-9]**/bcdDevice r,
+  @{sys}/devices/**/usb[0-9]**/bmAttributes r,
+  @{sys}/devices/**/usb[0-9]**/configuration r,
+  @{sys}/devices/**/usb[0-9]**/idProduct r,
+  @{sys}/devices/**/usb[0-9]**/idVendor r,
+  @{sys}/devices/**/usb[0-9]**/maxchild r,
+  @{sys}/devices/**/usb[0-9]**/rx_lanes r,
+  @{sys}/devices/**/usb[0-9]**/tx_lanes r,
+  # Needed for --tree -v
+  @{sys}/devices/**/usb[0-9]**/bMaxPower r,
+  @{sys}/devices/**/usb[0-9]**/version r,
 
   include if exists <local/lsusb>
 }