[Bug 1515791] Re: apparmor for qemu is too restrictive for USB passthrough

Leendert Keus Sat, 05 Mar 2016 09:31:51 -0800

Hi,
I have the same issue.

host (fragment of syslog):
$sudo less /var/log/syslog
Mar  5 16:54:33 hostname kernel: [  512.162587] audit: type=1400 
audit(1457193273.817:62): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
pid=2762 comm="apparmor_parser"
Mar  5 16:54:33 hostname kernel: [  512.173929] audit: type=1400 
audit(1457193273.829:63): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="qemu_bridge_helper" pid=2762 comm="apparmor_parser"
Mar  5 16:54:33 hostname kernel: [  512.282083] audit: type=1400 
audit(1457193273.937:64): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:1" pid=2764 comm="qemu-system-x86" requested_mask="r" 
denied_mask="r" fsuid=120 ouid=0
Mar  5 16:54:33 hostname kernel: [  512.282160] audit: type=1400 
audit(1457193273.937:65): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:257" pid=2764 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:54:33 hostname kernel: [  512.282232] audit: type=1400 
audit(1457193273.937:66): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:385" pid=2764 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:54:33 hostname kernel: [  512.282302] audit: type=1400 
audit(1457193273.937:67): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:0" pid=2764 comm="qemu-system-x86" requested_mask="r" 
denied_mask="r" fsuid=120 ouid=0
Mar  5 16:54:33 hostname kernel: [  512.282371] audit: type=1400 
audit(1457193273.937:68): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:128" pid=2764 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:54:33 hostname kernel: [  512.282437] audit: type=1400 
audit(1457193273.937:69): apparmor="DENIED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:256" pid=2764 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0


guest (no passthrough of usb device):
$lsusb
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd                     
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub                  
Bus 004 Device 002: ID 0409:55aa NEC Corp. Hub                                  
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub                  
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub                  
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub    

host (aa-complain of libvirtd and vm) + fragment of syslog
$sudo aa-complain /usr/sbin/libvirtd
$sudo aa-complain 
/etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1

$sudo less /var/log/syslog
Mar  5 16:29:50 hostname kernel: [  435.105616] audit: type=1400 
audit(1457191790.367:32): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
pid=2886 comm="apparmor_parser"
Mar  5 16:29:50 hostname kernel: [  435.135463] audit: type=1400 
audit(1457191790.399:33): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="qemu_bridge_helper" pid=2886 comm="apparmor_parser"
Mar  5 16:29:50 hostname kernel: [  435.600391] audit: type=1400 
audit(1457191790.863:34): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:1" pid=2889 comm="qemu-system-x86" requested_mask="r" 
denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname kernel: [  435.600550] audit: type=1400 
audit(1457191790.863:35): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:257" pid=2889 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname kernel: [  435.600686] audit: type=1400 
audit(1457191790.863:36): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:385" pid=2889 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname kernel: [  435.600818] audit: type=1400 
audit(1457191790.863:37): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:0" pid=2889 comm="qemu-system-x86" requested_mask="r" 
denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname kernel: [  435.600947] audit: type=1400 
audit(1457191790.863:38): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:128" pid=2889 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname kernel: [  435.601075] audit: type=1400 
audit(1457191790.863:39): apparmor="ALLOWED" operation="open" 
profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" 
name="/run/udev/data/c189:256" pid=2889 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar  5 16:29:50 hostname udisksd[1902]: Cleaning up mount point 
/media/leen/HP-8GB (device 8:33 no longer exist)
Mar  5 16:29:50 hostname systemd[1]: Unmounting /media/leen/HP-8GB...
Mar  5 16:29:50 hostname umount[2910]: umount: /media/leen/HP-8GB: not mounted
Mar  5 16:29:50 hostname systemd[1]: media-leen-HP\x2d8GB.mount: Mount process 
exited, code=exited status=32
Mar  5 16:29:50 hostname systemd[1]: Unmounted /media/leen/HP-8GB.
Mar  5 16:29:50 hostname systemd[1]: media-leen-HP\x2d8GB.mount: Unit entered 
failed state. 

guest (USB device is redirected to vm):
$lsusb
Bus 001 Device 005: ID 03f0:3307 Hewlett-Packard                                
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd                     
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub                  
Bus 004 Device 002: ID 0409:55aa NEC Corp. Hub                                  
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub                  
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub                  
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub 

The proposed changes to libvirt-qemu for apparmor worked for me.

If '/run/udev/** rw' is unsafe, please give advice what must be changed
to apparmor for this issue?

Thankx

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1515791

Title:
  apparmor for qemu is too restrictive for USB passthrough

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1515791/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1515791] Re: apparmor for qemu is too restrictive for USB passthrough

Reply via email to