Comment 16 for bug 545795

I'm sorry to post to this bug that has a status of "Fix released" but I am not sure it is really fixed. I have a situation similar too the original poster's concerning a USB card reader that won't make it past AppArmor it seems. Using libvirt-bin 0.7.5-5ubuntu27.

Situation: one of our servers was upgraded from Ubuntu 9.10 to 10.04 today. The server runs a few Ubuntu 9.10 VMs, nothing fancy or out of the ordinary. These VMs were defined and installed a few weeks ago, prior to the release of and update to Ubuntu 10.04 (if that matters at all).

We've had problems with AppArmor and Libvirt/KVM before so we disabled AppArmor and pass-through of the USB card readers worked fine this way. This situation was not ideal from a security point-of-view but since the host and guests are strictly for internal test and development purposes we went with it. Now I see that a lot has happened with regards to AppArmor, USB and PCI pass-through and Libvirt, so tried again enabling AppArmor. Alas, when starting a VM dmesg and /var/log/kern.log show these entries, repeating every second it seems:

May 3 19:44:18 TESTHOST kernel: [ 2407.509182] type=1503 audit(1272908658.618:785): operation="open" pid=1532 parent=1 profile="libvirt-959806d1-327a-cd14-6b3f-ddeee8a19d0e" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/devices/pci0000:00/0000:00:1e.0/0000:01:04.4/usb6/devnum"

The guest of course does not get to see anything of the USB device in question. Please find the XML definition of the guest in question here: https://daff.pseudoterminal.org/files/vm-usb.txt

After disabling AppArmor (/etc/init.d/apparmor stop) the USB device is again visible in the guest.

Why would this happen? The file /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper explicitly states that access to /sys/devices/** should be allowed. Am I missing anything? I can experiment and run tests on this server for the next week or so, so please tell me if I can help debugging anything.