apparmor driver blocks access to some hostdev and pcidev devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Fedora) |
Fix Released
|
Medium
|
|||
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Description: Ubuntu lucid (development branch)
Release: 10.04
If I try to use a "Ethernet controller: Intel Corporation 82576 Virtual Function (rev 01)" network device for a VM I can select the device via virt-manager. But if I try to start such a VM the VM won't start because the apparmor profile for the VM is not updated to allow access to the PCI device (the same is true for USB devices). This gives the following messages:
Mar 20 15:33:43 horst kernel: [ 1178.108436] type=1503 audit(126909562
Mar 20 15:33:43 horst libvirtd: 15:33:43.183: error : qemudWaitForMon
virt-manager should create the neccessary entries in the apparmor profile for Physical Host Devices automaticly.
virt-manager 0.8.2-2ubuntu6
ibvirt-bin 0.7.5-5ubuntu15
apparmor 2.5-0ubuntu1
Related branches
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in libvirt (Ubuntu Lucid): | |
milestone: | none → ubuntu-10.04-beta-2 |
Changed in libvirt (Ubuntu Lucid): | |
milestone: | ubuntu-10.04-beta-2 → ubuntu-10.04 |
Changed in libvirt (Ubuntu Lucid): | |
milestone: | ubuntu-10.04 → ubuntu-10.04.1 |
Changed in libvirt (Ubuntu Maverick): | |
status: | Triaged → Incomplete |
Changed in libvirt (Ubuntu Lucid): | |
status: | Triaged → Incomplete |
Changed in libvirt (Ubuntu Lucid): | |
milestone: | ubuntu-10.04.1 → ubuntu-10.04.2 |
summary: |
- apparmor driver blocks access to hostdev and pcidev devices + apparmor driver blocks access to some hostdev and pcidev devices |
Changed in libvirt (Ubuntu Maverick): | |
status: | Confirmed → In Progress |
Changed in libvirt (Ubuntu Lucid): | |
status: | Confirmed → Triaged |
Changed in libvirt (Ubuntu Maverick): | |
status: | In Progress → Fix Committed |
Changed in libvirt (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Thank you for using Ubuntu and reporting a bug. This is a known issue and a limitation of the AppArmor driver. For now, you need to adjust /etc/apparmor. d/abstractions/ libvirt- qemu to allow access to host hardware. For usb devices (hostdev), adjust this: bus/usb/ devices/ r, devices/ */*/usb[ 0-9]*/* * r, bus/usb/ */[0-9] * rw,
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
#/sys/
#/sys/
#/dev/
To be: bus/usb/ devices/ r, devices/ */*/usb[ 0-9]*/* * r, bus/usb/ */[0-9] * rw,
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/
/sys/
/dev/
You will have to add similar entries for PCI devices (pcidev).