[Bug 1245251] Re: Apparmor blocks usb devices in libvirt in Saucy

Serge Hallyn Wed, 30 Oct 2013 13:31:34 -0700

@ClaudeD,

could you please list either a kvm command line or a virsh dumpxml
output (or both) for a domain that has trouble?  I tried to reproduce
jsut passing in a yubikey, but had no permission problems.


(in my test, the kvm command was started with specific
hostbus=2,hostaddr=4 information, so presumably you're passing in
something more generic which requires qemu to look for host info...)

** Also affects: libvirt (Ubuntu Saucy)
   Importance: Undecided
       Status: New

** Description changed:

+ =============================
+ SRU Justification:
+ 1. Impact: usb devices can't be used under libvirt kvm guests
+ 2. Development fix: allow libvirt to have read access to some information it 
now insists on having.
+ 3. Stable fix: cherrypick of dev fix
+ 4. Test case: create a libvirt VM with a usb device passed from the host
+ 5. Regression potential: This allows libvirt to see a bit more host system 
information, however the security team sees no problem with it.
+ ==============================
+ 
  Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest
  with usb devices working well. Since the upgrade, apparmor blocks access
  to usb devices with the following errors :
  
  Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 
audit(1382897849.445:339): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" 
pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 
ouid=0
  Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 
audit(1382897849.445:340): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
  Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 
audit(1382897849.445:341): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" 
pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 
ouid=0
  Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 
audit(1382897849.445:342): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
  Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 
audit(1382897849.445:343): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" 
pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 
ouid=0
  Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 
audit(1382897849.445:344): apparmor="DENIED" operation="open" parent=1 
profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
  
  The profile looks fine :
  
  /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee:
  
  #
  # This profile is for the domain whose UUID matches this file.
  #
  
  #include <tunables/global>
  
  profile libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files>
  
  }
  
  
  /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files:
  
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/windows-xp.log" w,
    "/var/lib/libvirt/**/windows-xp.monitor" rw,
    "/var/run/libvirt/**/windows-xp.pid" rwk,
    "/run/libvirt/**/windows-xp.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw,
    "/home/vm/windowsxp.img" rw,
    "/dev/bus/usb/002/012" rw,
    "/dev/bus/usb/002/011" rw,
    "/dev/bus/usb/002/007" rw,

** Changed in: libvirt (Ubuntu Saucy)
   Importance: Undecided => High

** Changed in: libvirt (Ubuntu Saucy)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1245251

Title:
  Apparmor blocks usb devices in libvirt in Saucy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1245251/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1245251] Re: Apparmor blocks usb devices in libvirt in Saucy

Reply via email to