[regression] apparmor profile not updated on attach and detach of devices

This bug was fixed in the package libvirt - 0.7.0-1ubuntu8

---------------
libvirt (0.7.0-1ubuntu8) karmic; urgency=low

  * debian/patches/9091-apparmor.patch: sync with upstream for maintenance,
    licensing compliance with upstream and bug fixes:
    - handle files with spaces in the name (LP: #432810)
    - add serial, console, kernel and initrd support (LP: #432581)
    - allow read only access to /boot, /vmlinuz and /initrd.img
    - allow access to character devices (eg USB devices)
    - have virt-aa-helper accept XML on stdin, which allows for adding
      other devices in the future and helps ensure we always have the most
      up to date definition
    - update profile on attach and detach of devices (LP: #435527)
    - add --dryrun option to virt-aa-helper, and greatly improve the
      virt-aa-helper-test script
  * revert workaround for LP: #431090 now that kernel, initrd, et al is
    properly supported
  * debian/apparmor/usr.sbin.libvirtd: add various capabilities
    recommended by upstream to prevent potential regressions

 -- Jamie Strandboge <email address hidden> Tue, 22 Sep 2009 20:04:58 -0500

During testing, I found that attach-device and attach-disk occasionally triggered spurious APPARMOR_DENIED messages in the host kernel (possibly related to the guest kernel trying to poll it). Whenever I saw these messages, the guest was always able to access the disk (eg 'sudo fdisk -l /dev/...). It is possible that the host kernel isn't up to date on the logging the split second after apparmor_parser exits. This could possibly be fixed if libvirt slept for a second in after calling virt-aa-helper.

After further testing, I found that if the VM was fully booted, it would not spit out the spurious APPARMOR_DENIED messages (after >500 attach/detach cycles). As such, it seems clear these denied messages only occasionally happen when the guest is booting.

It is possible the spurious messages happen when ACPI is initializing in the guest when the attach occurs. This needs to be investigated further to be certain.

On jaunty I could attach usb devices to a running machine like this:
$ virsh attach-device winbox usb-nokia.xml

After upgrading to karmic this results in the folloing kernel log:
[22389.943569] type=1503 audit(1258461825.254:41): operation="open" pid=7705 parent=1 profile="libvirt-9edf0dc3-867a-4ae1-bc7a-acbbd148d44e" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/sys/bus/usb/devices/"

As far as I understand it the profile under /etc/apparmor.d/libvirt is not updated properly when attaching a device.

Markus,

This bug is about using attach and detach commands via libvirt, and not USB (hostdev) devices. Hostdev support will be added in 10.04. In the meantime, please see /etc/apparmor.d/abstractions/libvirt-qemu:
  # WARNING: uncommenting these gives the guest direct access to host hardware.
  # This is required for USB pass through but is a security risk. You have been
  # warned.
  #/sys/bus/usb/devices/ r,
  #/sys/devices/*/*/usb[0-9]*/** r,
  #/dev/bus/usb/*/[0-9]* rw,

If you uncomment the apparmor rules above, then stop and start your VM, USB should work fine. If not, please file a different bug.