[Bug 578332] [NEW] AppArmor blocks hot-attaching of USB devices
Public bug reported: On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor profiles as discussed in bug 545795 the hot-attachment of USB devices is blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is running and a USB devices connected to the underlying host is to be attached/passed-through to the VM while it is running. This can be accomplished by using virt-manager: 1. Open the Details window of the virtual machine in question 2. Klick Add Hardware 3. Select Physical Host Device, Next 4. Select USB device and choose the device to be attached (in our case a USB card reader), Next 5. Finish The logfile for the machine in question immediately shows: usb_create: no bus specified, using usb.0 for usb-host husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /var/log/kern.log accordingly shows kernel: [79029.932635] type=1503 audit(1272985279.341:1009): operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14 -6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0 ouid=0 name=/dev/bus/usb/005/002 This happens because AppArmor doesn't allow Libvirt access to /dev/bus/usb/**. Note that this works fine when the machine in question is shut down prior to attaching the USB device but that is exactly not the desired behaviour of hot-attaching devices. This can be fixed quite simply by allowing read-write access to /dev/bus/usb/**. I don't know if that needs to be added to the profile abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe it is the latter, but I am not sure. apparmor: 2.5-0ubuntu3 libvirt-bin: 0.7.5-5ubuntu27 Description:Ubuntu 10.04 LTS Release:10.04 ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- AppArmor blocks hot-attaching of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] [NEW] AppArmor blocks hot-attaching of USB devices
Public bug reported: On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor profiles as discussed in bug 545795 the hot-attachment of USB devices is blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is running and a USB devices connected to the underlying host is to be attached/passed-through to the VM while it is running. This can be accomplished by using virt-manager: 1. Open the Details window of the virtual machine in question 2. Klick Add Hardware 3. Select Physical Host Device, Next 4. Select USB device and choose the device to be attached (in our case a USB card reader), Next 5. Finish The logfile for the machine in question immediately shows: usb_create: no bus specified, using usb.0 for usb-host husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /var/log/kern.log accordingly shows kernel: [79029.932635] type=1503 audit(1272985279.341:1009): operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14 -6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0 ouid=0 name=/dev/bus/usb/005/002 This happens because AppArmor doesn't allow Libvirt access to /dev/bus/usb/**. Note that this works fine when the machine in question is shut down prior to attaching the USB device but that is exactly not the desired behaviour of hot-attaching devices. This can be fixed quite simply by allowing read-write access to /dev/bus/usb/**. I don't know if that needs to be added to the profile abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe it is the latter, but I am not sure. apparmor: 2.5-0ubuntu3 libvirt-bin: 0.7.5-5ubuntu27 Description:Ubuntu 10.04 LTS Release:10.04 ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- AppArmor blocks hot-attaching of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
