USB passthrough - virt-aa-helper must grant /run/udev/data/ r

Bug #1515791 reported by Nahuel Greco on 2015-11-12
92
This bug affects 18 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Unassigned

Bug Description

When trying to use an USB printer from a QEMU guest (created with virt-manager) I get many apparmor errors in /var/log/kern.log, like:

Nov 8 18:08:00 ombu kernel: [ 8603.301618] audit: type=1400 audit(1447016880.250:195): apparmor="DENIED" operation="open" profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205" name="/dev/bus/usb/005/016" pid=10345 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=122 ouid=122
Nov 12 20:01:35 ombu kernel: [360670.214358] audit: type=1400 audit(1447369295.810:1531): apparmor="DENIED" operation="open" profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205" name="/run/udev/data/c189:0" pid=8408 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=122 ouid=0

The guest can't see the USB device at all. I solved the problem by editing /etc/apparmor.d/abstractions/libvirt-qemu changing this line:

 /dev/bus/usb/ r,

to this:

 /dev/bus/usb/ rw,

and adding these two lines:

  /dev/bus/usb/*/[0-9]* rw,
  /run/udev/** rw,

And then restarting apparmor and libvirtd. I think a similar configuration must come included in /etc/apparmor.d/abstractions/libvirt-qemu by default.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libvirt-bin 1.2.16-2ubuntu11
Uname: Linux 4.3.0-040300-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Nov 12 20:10:16 2015
InstallationDate: Installed on 2015-10-30 (13 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.abstractions.libvirt.qemu: [modified]
modified.conffile..etc.libvirt.libvirtd.conf: [modified]
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']
mtime.conffile..etc.apparmor.d.abstractions.libvirt.qemu: 2015-11-12T20:03:10.223851
mtime.conffile..etc.libvirt.libvirtd.conf: 2015-11-12T19:32:30.170352

Nahuel Greco (ngreco) wrote :

Thanks for reporting this bug.

Can you tell use exactly how you told virt-manager about the printer? For other types of usb devices (like an ereader) this has definately created the needed rules for me.

Adding a blanket '/run/udev/** rw' rule would not be safe, but we should be able to find a way to add the needed rules through virt-aa-helper.

 status: incomplete
 priority: medium

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
Nahuel Greco (ngreco) wrote :
Download full text (3.4 KiB)

I simply clicked on "Add Hardware" -> "USB Host Device" and clicked on the
USB printer (a Silhouette Cameo 2, not really a printer but a plotter).

Saludos,
Nahuel Greco.

On Fri, Nov 13, 2015 at 5:14 PM, Serge Hallyn <email address hidden>
wrote:

> Thanks for reporting this bug.
>
> Can you tell use exactly how you told virt-manager about the printer?
> For other types of usb devices (like an ereader) this has definately
> created the needed rules for me.
>
> Adding a blanket '/run/udev/** rw' rule would not be safe, but we should
> be able to find a way to add the needed rules through virt-aa-helper.
>
> status: incomplete
> priority: medium
>
>
> ** Changed in: libvirt (Ubuntu)
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1515791
>
> Title:
> apparmor for qemu is too restrictive for USB passthrough
>
> Status in libvirt package in Ubuntu:
> Incomplete
>
> Bug description:
> When trying to use an USB printer from a QEMU guest (created with
> virt-manager) I get many apparmor errors in /var/log/kern.log, like:
>
> Nov 8 18:08:00 ombu kernel: [ 8603.301618] audit: type=1400
> audit(1447016880.250:195): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/dev/bus/usb/005/016" pid=10345 comm="qemu-system-x86"
> requested_mask="rw" denied_mask="rw" fsuid=122 ouid=122
> Nov 12 20:01:35 ombu kernel: [360670.214358] audit: type=1400
> audit(1447369295.810:1531): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/run/udev/data/c189:0" pid=8408 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=122 ouid=0
>
> The guest can't see the USB device at all. I solved the problem by
> editing /etc/apparmor.d/abstractions/libvirt-qemu changing this line:
>
> /dev/bus/usb/ r,
>
> to this:
>
> /dev/bus/usb/ rw,
>
> and adding these two lines:
>
> /dev/bus/usb/*/[0-9]* rw,
> /run/udev/** rw,
>
> And then restarting apparmor and libvirtd. I think a similar
> configuration must come included in /etc/apparmor.d/abstractions
> /libvirt-qemu by default.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 15.10
> Package: libvirt-bin 1.2.16-2ubuntu11
> Uname: Linux 4.3.0-040300-generic x86_64
> ApportVersion: 2.19.1-0ubuntu4
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Thu Nov 12 20:10:16 2015
> InstallationDate: Installed on 2015-10-30 (13 days ago)
> InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64
> (20151021)
> SourcePackage: libvirt
> UpgradeStatus: No upgrade log present (probably fresh install)
> modified.conffile..etc.apparmor.d.abstractions.libvirt.qemu: [modified]
> modified.conffile..etc.libvirt.libvirtd.conf: [modified]
> modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13]
> Permission denied: '/etc/libvirt/qemu.conf']
> modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible:
> [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']
> mtime.conffile..etc.apparmor.d.abstractions.libv...

Read more...

Serge Hallyn (serge-hallyn) wrote :

Thanks - could you show the vm's xml configuration? (i.e. result of
virsh dumpxml vmname)

Download full text (4.3 KiB)

I have this exact same issue, and this workaround does in fact work.

<domain type='kvm' id='4'>
  <name>Windows-COE</name>
  <uuid>d994a682-2369-f82b-4592-fc4705b4dc2b</uuid>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>6</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <sysinfo type='smbios'>
    <bios>
      <entry name='vendor'>Hewlett-Packard</entry>
    </bios>
    <system>
      <entry name='manufacturer'>Hewlett-Packard</entry>
      <entry name='product'>HP Z420 Workstation</entry>
      <entry name='serial'>2UA3111WCH</entry>
    </system>
  </sysinfo>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='cdrom'/>
    <boot dev='hd'/>
    <smbios mode='sysinfo'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='localtime'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm-spice</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/Windows-COE.img'/>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <controller type='ccid' index='0'>
      <alias name='ccid0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:fb:20:90'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='rtl8139'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/14'/>
      <target port='0'/>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/14'>
      <source path='/dev/pts/14'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>...

Read more...

Download full text (7.5 KiB)

here is the vm's xml configuration:

<domain type='kvm' id='14'>
  <name>win7</name>
  <uuid>3c21df5e-dfef-4cf5-8e24-aeaa47235205</uuid>
  <memory unit='KiB'>5120000</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>6</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-vivid'>hvm</type>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Westmere</model>
  </cpu>
  <clock offset='localtime'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/disk2/flat2/kvm-storage1/win7.img'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <boot order='1'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <alias name='usb'/>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <alias name='usb'/>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <alias name='usb'/>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x2'/>
    </controller>
    <interface type='direct'>
      <mac address='52:54:00:7f:9b:38'/>
      <source dev='enp7s0' mode='bridge'/>
      <target dev='macvtap0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
    </interface>
    <interface type='network'>
      <mac address='52:54:00:35:78:6d'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio...

Read more...

I can't seem to reproduce this here.

Could you please reproduce this with a new VM, then show

1. dpkg -l | grep libvirt-bin
2. virsh dumpxml $vm
3. cat /etc/apparmor.d/libvirt/libvirt-${uuid}.files where uuid is the <uuid> entry you see in the output of (2)
4. cat /var/log/libvirt/qemu/${vm}.log
5. either 'grep DENIED /var/log/syslog | tail -100' or 'journalctl | grep DENIED | tail -100' (whichever works, depending on your init)

Launchpad Janitor (janitor) wrote :

[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]

Changed in libvirt (Ubuntu):
status: Incomplete → Expired
Leendert Keus (lj-keus) wrote :
Download full text (6.4 KiB)

Hi,
I have the same issue.

host (fragment of syslog):
$sudo less /var/log/syslog
Mar 5 16:54:33 hostname kernel: [ 512.162587] audit: type=1400 audit(1457193273.817:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-99917005-9251-4ea3-9e72-946b42061df1" pid=2762 comm="apparmor_parser"
Mar 5 16:54:33 hostname kernel: [ 512.173929] audit: type=1400 audit(1457193273.829:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="qemu_bridge_helper" pid=2762 comm="apparmor_parser"
Mar 5 16:54:33 hostname kernel: [ 512.282083] audit: type=1400 audit(1457193273.937:64): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:1" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282160] audit: type=1400 audit(1457193273.937:65): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:257" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282232] audit: type=1400 audit(1457193273.937:66): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:385" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282302] audit: type=1400 audit(1457193273.937:67): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:0" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282371] audit: type=1400 audit(1457193273.937:68): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:128" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282437] audit: type=1400 audit(1457193273.937:69): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:256" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0

guest (no passthrough of usb device):
$lsusb
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 0409:55aa NEC Corp. Hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

host (aa-complain of libvirtd and vm) + fragment of syslog
$sudo aa-complain /usr/sbin/libvirtd
$sudo aa-complain /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1

$sudo less /var/log/syslog
Mar 5 16:29:50 hostname kernel: [ 435.105616] audit: type=1400 audit(1457191790.367:32): apparmor="STATUS" operation="profile_replace" profile="unconfined" ...

Read more...

Serge Hallyn (serge-hallyn) wrote :

Hi,

could you please show the contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1 ?

virt-aa-helper *is* supposed to be adding an rw entry for each usb file for hostdevs being added (through file_iterate_hostdev_cb()), so I'm wondering which file isn't being handled and why.

Changed in libvirt (Ubuntu):
status: Expired → Incomplete
Leendert Keus (lj-keus) wrote :

The contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1:
=======================================================================
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-99917005-9251-4ea3-9e72-946b42061df1 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1.files>

}
=======================================================================
The contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/fedora20.log" w,
  "/var/lib/libvirt/**/fedora20.monitor" rw,
  "/var/run/libvirt/**/fedora20.pid" rwk,
  "/run/libvirt/**/fedora20.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.fedora20" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.fedora20" rw,
  "/vm/fedora/fed.qcow2" rw,
  "/var/lib/libvirt/qemu/channel/target/fedora20.org.qemu.guest_agent.0" rw,
  "/dev/bus/usb/004/003" rw,
  /dev/vhost-net rw,
  "/dev/net/tun" rw,
=======================================================================
Only a line for /dev/bus/usb/..., but no line for /run/udev/data/...

By the way; the line "/dev/bus/usb/*/[0-9]* rw," has always been in "/etc/apparmor.d/abstractions/libvirt-qemu" but for some reason removed from Wily Werewolf and in the line "/dev/bus/usb/ rw,", the mentioned "rw" is not required "r" is enough as per default. So only something for /run/udev/data/... is needed.

summary: - apparmor for qemu is too restrictive for USB passthrough
+ USB passthrough - virt-aa-helper must grant /run/udev/data/ r
Leendert Keus (lj-keus) wrote :

Hi Serge, will this issue be solved in Xenial Xerus (16.04)?

Serge Hallyn (serge-hallyn) wrote :

Probably in an SRU. How to properly fix it is not yet clear to me.

Leendert Keus (lj-keus) wrote :

FYI,

Today upgraded to Xenial Xerus (16.04). While waiting for a solution for this issue, added

/run/udev/data/** r,

to /etc/apparmor.d/abstractions/libvirt-qemu

Darth Revan (darth-revan43) wrote :

Thank you @ngreco & @lj-keus for the information. It was a lot easier finding the solution with your help.

Richard Hansen (rhansen) on 2016-07-09
Changed in libvirt (Ubuntu):
status: Incomplete → Confirmed
Leendert Keus (lj-keus) wrote :

This week upgraded to Yakkety Yak (16.10). Problem still not(!) solved, I am very disappointed.
@Serge, Richard: What is the status of the solution?

Gal Buki (torusjkl) wrote :

I had to add the following lines to /etc/apparmor.d/abstractions/libvirt-qemu on Ubuntu 16.10.

  /run/udev/data/** r,
  /dev/bus/usb/*/[0-9]* rw,

Download full text (5.4 KiB)

I have the same issue, that can be easily hotfixed by editing apparmor's rules or by disabling it, anyway when the machine tries to access the USB device a kernel null ptr deference occurs.

My setup is a vanilla Ubuntu 16.04.1 LTS with libvirt and a virtual print server (Ubuntu 16.04.1 LTS too) I'm tring to pass an USB multifunction printer (a Samsung SCX B/W laser printer).

I added to /etc/apparmor.d/abstractions/libvirt-qemu:

  /run/udev/data/** r,
  /dev/bus/usb/*/[0-9]* rw,

When the machine starts I get a kernel OOP:

[79766.096875] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79766.524927] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79767.252785] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79768.478231] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[79768.478253] IP: [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478266] PGD 0
[79768.478272] Oops: 0000 [#1] SMP
[79768.478280] Modules linked in: vhost_net vhost macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables snd_hda_codec_hdmi gpio_ich ppdev snd_hda_codec_realtek snd_hda_codec_generic bridge stp llc snd_hda_intel snd_hda_codec coretemp serio_raw snd_hda_core snd_hwdep snd_pcm usblp snd_timer lpc_ich input_leds snd shpchp soundcore i7core_edac winbond_cir edac_core i5500_temp rc_core 8250_fintek parport_pc mac_hid parport kvm_intel kvm irqbypass ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs drbg
[79768.478471] ansi_cprng xts gf128mul algif_skcipher af_alg dm_crypt raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 multipath linear raid0 pata_acpi hid_generic usbhid hid raid10 pata_marvell uas usb_storage nouveau mxm_wmi wmi video i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect firewire_ohci sysimgblt psmouse fb_sys_fops e1000e firewire_core mvsas ahci ptp drm crc_itu_t libahci libsas pps_core scsi_transport_sas fjes
[79768.478599] CPU: 2 PID: 23232 Comm: qemu-system-x86 Tainted: G I 4.4.0-53-generic #74-Ubuntu
[79768.478610] Hardware name: /DX58SO, BIOS SOX5810J.86A.2127.2008.0914.1638 09/14/2008
[79768.478620] task: ffff88041b314b00 ti: ffff880004634000 task.ti: ffff880004634000
[79768.478629] RIP: 0010:[<ffffffff81610c96>] [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478641] RSP: 0018:ffff880004637d18 EFLAGS: 00010202
[79768.478648] RAX: 0000000000000020 RBX: 00000000000000a1 RCX: 0000000000000100
[79768.478657] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[79768.478665] RBP: ffff880004637d60 R08: 0000000000000006 R09: ffff88041ec03e00
[79768.478673] R10: ffff88041ce0d800 R11: ffff880416c98000 R12: 0000000000000100
[79768.478682] R13: ffff8800359b00c0 R14: 0000000000000000 R15: ffff880004637e20
[79768.478691] FS: 00007f0b8b799700(0000) GS:ffff88041f280000(0...

Read more...

Gert van Dijk (gertvdijk) wrote :

@Francesco Ongaro:

That appears to be another issue, unrelated to the bug in the description. Also supported by the amount of people that have reported success on this with the workaround. I suspect it is related to the hardware you're using. Please open a new bug report instead, I'd say.

Jean-Pierre van Riel (jpvr) wrote :

In my case, just adding `/run/udev/data/** r,` into /etc/apparmor.d/libvirt/TEMPLATE.qemu worked for me.

SLerman (smlerman) wrote :

I encountered the same problem with a built-in camera on my laptop running 17.04. I needed to add both of the following lines to /etc/apparmor.d/abstractions/libvirt-qemu

/dev/bus/usb/001/003 rw,
/run/udev/data/** r,

In my case, the camera is USB device 1-3.

Hi,
trying to get these bugs together there is the related bug 1686324 which is why e.g. smlerman had to add the /dev/bus/usb/001/003 rw - this should actually be generated by virt-aa-helper but is failing on guests start. It works on usb hot plug, but needs to be solved.

For the other part I agree that "/run/udev/data/** r" is a workaround for those who opt in, but essentially needs proper virt-aa-helper coding to just open up what is needed.
To focus reports I'll dup this onto bug 1552241.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers