The USB backend inherits the cupsd AppArmor profile via `ixr`. That
profile grants `/sys/** r` but not `/ r`. libusb needs to open `/` to
resolve symlinks in `/sys/bus/usb/devices/` (e.g. `1-13 ->
../../devices/pci0000:00/.../usb1/1-13`) — the kernel walks from `/`
downward during symlink resolution.
Fix: add `/ r,` to the profile. This grants read-only directory
listing of `/`, nothing more.
Workaround:
echo '/ r,' > /etc/apparmor.d/local/usr.sbin.cupsd
apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
systemctl restart cups
Confirmed on trixie, cups 2.4.16-1, libusb 1.0.29-2+b1, kernel 6.18.15.
