usb hostdev passthrough generates the wrong apparmor rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Zesty |
Won't Fix
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* USB Host devices fail to add statically
* The reason is that libvirt has not yet initialized usb devices
* Fix by back-porting small upstream change
[Test Case]
* Create a VM Guest (e.g. via uvtool)
* Shut down the guest
* virsh edit <guestname>
* Add a usb hostdev from your System (check lsusb for IDs)
* See the original description below for XML examples
* Starting the guest will create a wrong rule
"/
And due to that fails to start.
[Regression Potential]
* The change is small and only makes certain values available to libvirt
* The only thing I could think of regressing is if that
virHostdevFi
fail later on in the lifecycle even without the patch - so we should be
safe IMHO.
[Other Info]
* I waited to be accepted upstream to be more confident which is
partially why this took so long but provides some extra confidence.
---
Libvirt-aa-helper seems to have a bug when adding usb passthrough devices statically.
On hotplug with:
$ cat sandisk-usb.xml
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<!--
idVendor 0x0781 SanDisk Corp.
idProduct 0x5580 SDCZ80 Flash Drive
-->
<vendor id='0x0781'/>
<product id='0x5580'/>
</source>
</hostdev>
$ virsh attach-device z-test1 sandisk-usb.xml
It generates correctly:
"/dev/bus/
But if adding the same XML part to the guest xml itself it generates:
"/dev/bus/
And as a follow on issue the guest start fails with:
libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/
Due to:
apparmor="DENIED" operation="open" profile=
Changed in libvirt (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: server-next |
tags: | added: virt-aa-helper |
tags: | removed: server-next |
description: | updated |
Actually if possible this should become so good that we can drop the /dev/usb addition to apparmor that we have.