apparmor prevents using SCSI hostdevs

Bug #1573192 reported by Simon Déziel on 2016-04-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
Unassigned

Bug Description

Trying to pass a SCSI device from the host to a VM with this XML definition:

  <hostdev mode='subsystem' type='scsi' managed='no' sgio='filtered' rawio='no'>
    <source>
      <adapter name='scsi_host2'/>
      <address bus='0' target='0' unit='0'/>
    </source>
    <address type='drive' controller='0' bus='0' target='0' unit='0'/>
  </hostdev>

Results in Apparmor denials like this during the VM startup:

apparmor="DENIED" operation="open" profile="libvirt-65e0d1b9-f6b1-4926-8648-dc685778555a" name="/dev/sg2" pid=7904 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=111 ouid=111
apparmor="DENIED" operation="open" profile="libvirt-65e0d1b9-f6b1-4926-8648-dc685778555a" name="/dev/sg2" pid=7904 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

Workaround:

Add "owner /dev/sg2 rw," to /etc/apparmor.d/libvirt/libvirt-$UUID and restart libvirt-bin.

Additional information:

# lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
# apt-cache policy libvirt-bin apparmor
libvirt-bin:
  Installed: 1.3.1-1ubuntu10
  Candidate: 1.3.1-1ubuntu10
  Version table:
 *** 1.3.1-1ubuntu10 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
apparmor:
  Installed: 2.10.95-0ubuntu2
  Candidate: 2.10.95-0ubuntu2
  Version table:
 *** 2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Apr 21 14:34:10 2016
KernLog:

SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13] Permission denied: '/etc/libvirt/qemu.conf']
modified.conffile..etc.libvirt.qemu.networks.default.xml: [deleted]

Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) on 2016-04-21
description: updated
Simon Déziel (sdeziel) wrote :

This is reproducible on Trusty (after removing sgio='filtered' which isn't supported). The same workaround works as well.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers