Ubuntu
libvirt package

  1. Bug #1245251
  2. Activity log

Activity log for bug #1245251

Date Who What changed Old value New value Message
2013-10-27 18:41:46 Claude Durocher bug added bug
2013-10-27 22:18:39 Robie Basak bug added subscriber Robie Basak
2013-10-28 21:51:22 Serge Hallyn libvirt (Ubuntu): importance Undecided High
2013-10-28 21:51:22 Serge Hallyn libvirt (Ubuntu): status New Confirmed
2013-10-30 20:19:25 Serge Hallyn nominated for series Ubuntu Saucy
2013-10-30 20:19:25 Serge Hallyn bug task added libvirt (Ubuntu Saucy)
2013-10-30 20:21:48 Serge Hallyn description Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors : Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(1382897849.445:339): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(1382897849.445:340): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(1382897849.445:341): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(1382897849.445:342): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(1382897849.445:343): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(1382897849.445:344): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 The profile looks fine : /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee: # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files> } /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/windows-xp.log" w, "/var/lib/libvirt/**/windows-xp.monitor" rw, "/var/run/libvirt/**/windows-xp.pid" rwk, "/run/libvirt/**/windows-xp.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/home/vm/windowsxp.img" rw, "/dev/bus/usb/002/012" rw, "/dev/bus/usb/002/011" rw, "/dev/bus/usb/002/007" rw, ============================= SRU Justification: 1. Impact: usb devices can't be used under libvirt kvm guests 2. Development fix: allow libvirt to have read access to some information it now insists on having. 3. Stable fix: cherrypick of dev fix 4. Test case: create a libvirt VM with a usb device passed from the host 5. Regression potential: This allows libvirt to see a bit more host system information, however the security team sees no problem with it. ============================== Upgraded a 13.04 64 bit to 13.10. Before the upgrade, I had KVM guest with usb devices working well. Since the upgrade, apparmor blocks access to usb devices with the following errors : Oct 27 14:17:29 laptop kernel: [ 5771.844806] type=1400 audit(1382897849.445:339): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844847] type=1400 audit(1382897849.445:340): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844947] type=1400 audit(1382897849.445:341): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.844967] type=1400 audit(1382897849.445:342): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845051] type=1400 audit(1382897849.445:343): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/bus/usb/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Oct 27 14:17:29 laptop kernel: [ 5771.845069] type=1400 audit(1382897849.445:344): apparmor="DENIED" operation="open" parent=1 profile="libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee" name="/dev/" pid=12253 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 The profile looks fine : /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee: # # This profile is for the domain whose UUID matches this file. # #include <tunables/global> profile libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee { #include <abstractions/libvirt-qemu> #include <libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files> } /etc/apparmor.d/libvirt/libvirt-655920dd-7b6f-f20b-bb77-b5bbaa133eee.files: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/windows-xp.log" w, "/var/lib/libvirt/**/windows-xp.monitor" rw, "/var/run/libvirt/**/windows-xp.pid" rwk, "/run/libvirt/**/windows-xp.pid" rwk, "/var/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/run/libvirt/**/*.tunnelmigrate.dest.windows-xp" rw, "/home/vm/windowsxp.img" rw, "/dev/bus/usb/002/012" rw, "/dev/bus/usb/002/011" rw, "/dev/bus/usb/002/007" rw,
2013-10-30 20:24:57 Serge Hallyn libvirt (Ubuntu Saucy): importance Undecided High
2013-10-30 20:24:57 Serge Hallyn libvirt (Ubuntu Saucy): status New Confirmed
2013-11-10 14:56:22 David Medberry attachment added virsh dumpxml Fitbit https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1245251/+attachment/3904462/+files/fitbit.xml
2013-11-14 09:29:13 Launchpad Janitor libvirt (Ubuntu): status Confirmed Fix Released
2013-11-14 18:39:53 Brian Murray libvirt (Ubuntu Saucy): status Confirmed Fix Committed
2013-11-14 18:39:55 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2013-11-14 18:39:57 Brian Murray bug added subscriber SRU Verification
2013-11-14 18:39:59 Brian Murray tags verification-needed
2013-11-18 15:32:11 David Groos bug added subscriber David Groos
2013-11-18 16:29:49 Claude Durocher tags verification-needed verification-done
2013-11-26 19:17:56 Stéphane Graber removed subscriber Ubuntu Stable Release Updates Team
2013-11-26 19:23:12 Launchpad Janitor libvirt (Ubuntu Saucy): status Fix Committed Fix Released