Ubuntu
libvirt package

AppArmor blocks hotplugging of USB devices

Bug #578332 reported by Andreas Ntaflos
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Jamie Strandboge
Ubuntu natty-alpha-2

Bug Description

On Ubuntu 10.04 server, after applying the fixes to Libvirt's AppArmor profiles as discussed in bug 545795 the hotplugging of USB devices is blocked/denied by AppArmor. Hotplugging means: a KVM-based VM is running and a USB devices connected to the underlying host is to be attached/passed-through to the VM while it is running. This can be accomplished by using virt-manager:

1. Open the "Details" window of the virtual machine in question
2. Klick Add Hardware
3. Select "Physical Host Device", Next
4. Select "USB device" and choose the device to be attached (in our case a USB card reader), Next
5. Finish

The logfile for the machine in question immediately shows:

usb_create: no bus specified, using "usb.0" for "usb-host"
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2
/dev/bus/usb/005/002: Permission denied
husb: open device 5.2

/var/log/kern.log accordingly shows

kernel: [79029.932635] type=1503 audit(1272985279.341:1009): operation="open" pid=23782 parent=1 profile="libvirt-959806d1-327a-cd14-6b3f-ddeee8a19d0e" requested_mask="rw::" denied_mask="rw::" fsuid=0 ouid=0 name="/dev/bus/usb/005/002"

This happens because AppArmor doesn't allow Libvirt access to /dev/bus/usb/**. Note that this works fine when the machine in question is shut down prior to attaching the USB device but that is exactly not the desired behaviour of hot-attaching devices.

This can be fixed quite simply by allowing read-write access to /dev/bus/usb/**. I don't know if that needs to be added to the profile abstractions/libvirt-qemu or usr.lib.libvirt.virt-aa-helper. I believe it is the latter, but I am not sure.

apparmor: 2.5-0ubuntu3
libvirt-bin: 0.7.5-5ubuntu27
Description: Ubuntu 10.04 LTS
Release: 10.04

See original description
Tags: apparmor
Andreas Ntaflos (daff)
summary: - AppArmor blocks hot-attaching of USB devices
+ AppArmor blocks hotplugging of USB devices
description: updated
Mathias Gug (mathiaz)
Changed in libvirt (Ubuntu):
importance: Undecided → Low
Serge Hallyn (serge-hallyn)
tags: added: apparmor
Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu):
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for this report and making Ubuntu better.

The thing we're trying to do (IMO) is protect the host from the guest
OS, not from libvirt itself. So unconditionally allowing qemu access to
all usb devices is wrong. Ideally, when libvirt hotplugs a device, it
would add an apparmor rule to allow qemu access to that device.

Jamie, is that feasible?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Serge, that is feasible and how it is supposed to work.

Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should be fixed by commit 593e0072eb789ac7661078bac9bc2cfd1c3c68df in libvirt 0.8.5.

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
milestone: none → natty-alpha-2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.