Apparmor blocks usb devices in libvirt in Saucy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Saucy |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification:
1. Impact: usb devices can't be used under libvirt kvm guests
2. Development fix: allow libvirt to have read access to some information it now insists on having.
3. Stable fix: cherrypick of dev fix
4. Test case: create a libvirt VM with a usb device passed from the host
5. Regression potential: This allows libvirt to see a bit more host system information, however the security team sees no problem with it.
=======
Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors :
Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(138289784
Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(138289784
The profile looks fine :
/etc/apparmor.
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-
#include <abstractions/
#include <libvirt/
}
/etc/apparmor.
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/home/
"/dev/
"/dev/
"/dev/
I found a workaround by adding the following to /etc/apparmor. d/abstractions/ libvirt- qemu :
/dev/bus/usb/ r, udev/udev. conf r,
/etc/
/sys/bus/ r,
/sys/class/ r,