I'm sorry to post to this bug that has a status of "Fix released" but I am not sure it is really fixed. I have a situation similar too the original poster's concerning a USB card reader that won't make it past AppArmor it seems. Using libvirt-bin 0.7.5-5ubuntu27.
Situation: one of our servers was upgraded from Ubuntu 9.10 to 10.04 today. The server runs a few Ubuntu 9.10 VMs, nothing fancy or out of the ordinary. These VMs were defined and installed a few weeks ago, prior to the release of and update to Ubuntu 10.04 (if that matters at all).
We've had problems with AppArmor and Libvirt/KVM before so we disabled AppArmor and pass-through of the USB card readers worked fine this way. This situation was not ideal from a security point-of-view but since the host and guests are strictly for internal test and development purposes we went with it. Now I see that a lot has happened with regards to AppArmor, USB and PCI pass-through and Libvirt, so tried again enabling AppArmor. Alas, when starting a VM dmesg and /var/log/kern.log show these entries, repeating every second it seems:
After disabling AppArmor (/etc/init.d/apparmor stop) the USB device is again visible in the guest.
Why would this happen? The file /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper explicitly states that access to /sys/devices/** should be allowed. Am I missing anything? I can experiment and run tests on this server for the next week or so, so please tell me if I can help debugging anything.
I'm sorry to post to this bug that has a status of "Fix released" but I am not sure it is really fixed. I have a situation similar too the original poster's concerning a USB card reader that won't make it past AppArmor it seems. Using libvirt-bin 0.7.5-5ubuntu27.
Situation: one of our servers was upgraded from Ubuntu 9.10 to 10.04 today. The server runs a few Ubuntu 9.10 VMs, nothing fancy or out of the ordinary. These VMs were defined and installed a few weeks ago, prior to the release of and update to Ubuntu 10.04 (if that matters at all).
We've had problems with AppArmor and Libvirt/KVM before so we disabled AppArmor and pass-through of the USB card readers worked fine this way. This situation was not ideal from a security point-of-view but since the host and guests are strictly for internal test and development purposes we went with it. Now I see that a lot has happened with regards to AppArmor, USB and PCI pass-through and Libvirt, so tried again enabling AppArmor. Alas, when starting a VM dmesg and /var/log/kern.log show these entries, repeating every second it seems:
May 3 19:44:18 TESTHOST kernel: [ 2407.509182] type=1503 audit(127290865 8.618:785) : operation="open" pid=1532 parent=1 profile= "libvirt- 959806d1- 327a-cd14- 6b3f-ddeee8a19d 0e" requested_ mask="r: :" denied_mask="r::" fsuid=0 ouid=0 name="/ sys/devices/ pci0000: 00/0000: 00:1e.0/ 0000:01: 04.4/usb6/ devnum"
The guest of course does not get to see anything of the USB device in question. Please find the XML definition of the guest in question here: https:/ /daff.pseudoter minal.org/ files/vm- usb.txt
After disabling AppArmor (/etc/init. d/apparmor stop) the USB device is again visible in the guest.
Why would this happen? The file /etc/apparmor. d/usr.lib. libvirt. virt-aa- helper explicitly states that access to /sys/devices/** should be allowed. Am I missing anything? I can experiment and run tests on this server for the next week or so, so please tell me if I can help debugging anything.