[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
This should be fixed by commit 593e0072eb789ac7661078bac9bc2cfd1c3c68df in libvirt 0.8.5. ** Changed in: libvirt (Ubuntu) Status: In Progress = Fix Released ** Changed in: libvirt (Ubuntu) Milestone: None = natty-alpha-2 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/578332 Title: AppArmor blocks hotplugging of USB devices -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
This should be fixed by commit 593e0072eb789ac7661078bac9bc2cfd1c3c68df in libvirt 0.8.5. ** Changed in: libvirt (Ubuntu) Status: In Progress = Fix Released ** Changed in: libvirt (Ubuntu) Milestone: None = natty-alpha-2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/578332 Title: AppArmor blocks hotplugging of USB devices -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Status: Confirmed = In Progress ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Status: Confirmed = In Progress ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
Serge, that is feasible and how it is supposed to work. -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
Serge, that is feasible and how it is supposed to work. -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Tags added: apparmor -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Status: New = Confirmed -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
Thanks for this report and making Ubuntu better. The thing we're trying to do (IMO) is protect the host from the guest OS, not from libvirt itself. So unconditionally allowing qemu access to all usb devices is wrong. Ideally, when libvirt hotplugs a device, it would add an apparmor rule to allow qemu access to that device. Jamie, is that feasible? -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Tags added: apparmor -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Status: New = Confirmed -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
Thanks for this report and making Ubuntu better. The thing we're trying to do (IMO) is protect the host from the guest OS, not from libvirt itself. So unconditionally allowing qemu access to all usb devices is wrong. Ideally, when libvirt hotplugs a device, it would add an apparmor rule to allow qemu access to that device. Jamie, is that feasible? -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Importance: Undecided = Low -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Changed in: libvirt (Ubuntu) Importance: Undecided = Low -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Summary changed: - AppArmor blocks hot-attaching of USB devices + AppArmor blocks hotplugging of USB devices ** Description changed: On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor - profiles as discussed in bug 545795 the hot-attachment of USB devices is - blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is - running and a USB devices connected to the underlying host is to be - attached/passed-through to the VM while it is running. This can be - accomplished by using virt-manager: + profiles as discussed in bug 545795 the hotplugging of USB devices is + blocked/denied by AppArmor. Hotplugging means: a KVM-based VM is running + and a USB devices connected to the underlying host is to be attached + /passed-through to the VM while it is running. This can be accomplished + by using virt-manager: 1. Open the Details window of the virtual machine in question 2. Klick Add Hardware 3. Select Physical Host Device, Next 4. Select USB device and choose the device to be attached (in our case a USB card reader), Next 5. Finish The logfile for the machine in question immediately shows: usb_create: no bus specified, using usb.0 for usb-host husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /var/log/kern.log accordingly shows kernel: [79029.932635] type=1503 audit(1272985279.341:1009): operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14 -6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0 ouid=0 name=/dev/bus/usb/005/002 This happens because AppArmor doesn't allow Libvirt access to /dev/bus/usb/**. Note that this works fine when the machine in question is shut down prior to attaching the USB device but that is exactly not the desired behaviour of hot-attaching devices. This can be fixed quite simply by allowing read-write access to /dev/bus/usb/**. I don't know if that needs to be added to the profile abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe it is the latter, but I am not sure. apparmor: 2.5-0ubuntu3 libvirt-bin: 0.7.5-5ubuntu27 Description:Ubuntu 10.04 LTS Release:10.04 -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 578332] Re: AppArmor blocks hotplugging of USB devices
** Summary changed: - AppArmor blocks hot-attaching of USB devices + AppArmor blocks hotplugging of USB devices ** Description changed: On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor - profiles as discussed in bug 545795 the hot-attachment of USB devices is - blocked/denied by AppArmor. Hot-attachment means: a KVM-based VM is - running and a USB devices connected to the underlying host is to be - attached/passed-through to the VM while it is running. This can be - accomplished by using virt-manager: + profiles as discussed in bug 545795 the hotplugging of USB devices is + blocked/denied by AppArmor. Hotplugging means: a KVM-based VM is running + and a USB devices connected to the underlying host is to be attached + /passed-through to the VM while it is running. This can be accomplished + by using virt-manager: 1. Open the Details window of the virtual machine in question 2. Klick Add Hardware 3. Select Physical Host Device, Next 4. Select USB device and choose the device to be attached (in our case a USB card reader), Next 5. Finish The logfile for the machine in question immediately shows: usb_create: no bus specified, using usb.0 for usb-host husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /dev/bus/usb/005/002: Permission denied husb: open device 5.2 /var/log/kern.log accordingly shows kernel: [79029.932635] type=1503 audit(1272985279.341:1009): operation=open pid=23782 parent=1 profile=libvirt-959806d1-327a-cd14 -6b3f-ddeee8a19d0e requested_mask=rw:: denied_mask=rw:: fsuid=0 ouid=0 name=/dev/bus/usb/005/002 This happens because AppArmor doesn't allow Libvirt access to /dev/bus/usb/**. Note that this works fine when the machine in question is shut down prior to attaching the USB device but that is exactly not the desired behaviour of hot-attaching devices. This can be fixed quite simply by allowing read-write access to /dev/bus/usb/**. I don't know if that needs to be added to the profile abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe it is the latter, but I am not sure. apparmor: 2.5-0ubuntu3 libvirt-bin: 0.7.5-5ubuntu27 Description:Ubuntu 10.04 LTS Release:10.04 -- AppArmor blocks hotplugging of USB devices https://bugs.launchpad.net/bugs/578332 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs