Use a guest XML that already combines the USB Hostdev in it.

# cat testguest.xml 
<domain type='kvm'>
    <name>testguest</name>
    <uuid>deadbeef-dead-beef-dead-beefdeadbeef</uuid>
    <memory unit='KiB'>1024</memory>
    <vcpu placement='static'>1</vcpu>
    <os>
        <type arch='x86_64' machine='pc-i440fx-zesty'>hvm</type>
        <boot dev='hd'/>
    </os>
    <features>
        <acpi/>
        <apic/>
        <pae/>
    </features>
    <devices>
        <emulator>/usr/bin/kvm-spice</emulator>
        <disk type='file' device='disk'>
            <driver name='qemu'/>
            <source file='/var/lib/libvirt/images/A.img'/>
            <target dev='vda'/>
        </disk>
    <hostdev mode='subsystem' type='usb' managed='yes'>
        <source>
            <vendor id='0x046d'/>
            <product id='0x0825'/>
        </source>
    </hostdev>
    </devices>
    <seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>

root@ubuntu:~# virsh define testguest.xml 
Domain testguest defined from testguest.xml

root@ubuntu:~# virsh start testguest
error: Failed to start domain testguest
error: internal error: process exited while connecting to monitor: warning: 
host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2]
2017-10-25T10:31:34.412297Z qemu-system-x86_64: -device 
usb-host,hostbus=2,hostaddr=10,id=hostdev0,bus=usb.0,port=1: failed to find 
host usb device 2:10

Along that there are Apparmor denials:
[ 2260.676741] audit: type=1400 audit(1508927494.409:129): apparmor="DENIED" 
operation="open" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" 
name="/run/udev/data/c189:133" pid=9571 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[ 2260.677046] audit: type=1400 audit(1508927494.409:132): apparmor="DENIED" 
operation="open" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" 
name="/run/udev/data/c189:256" pid=9571 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[ 2260.677424] audit: type=1400 audit(1508927494.410:135): apparmor="DENIED" 
operation="open" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" 
name="/run/udev/data/c189:129" pid=9571 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[ 2260.677733] audit: type=1400 audit(1508927494.410:137): apparmor="DENIED" 
operation="open" profile="libvirt-deadbeef-dead-beef-dead-beefdeadbeef" 
name="/run/udev/data/c189:0" pid=9571 comm="qemu-system-x86" requested_mask="r" 
denied_mask="r" fsuid=64055 ouid=0

The failed Profile for the guest has the wrong rule:
root@ubuntu:~# grep usb 
/etc/apparmor.d/libvirt/libvirt-deadbeef-dead-beef-dead-beefdeadbeef.files 
  "/dev/bus/usb/000/000" rw,

# After upgrading to proposed no more errors while doing that.


root@ubuntu:~# apt install libvirt-daemon-system=3.6.0-1ubuntu6 
libvirt-clients=3.6.0-1ubuntu6 libvirt-daemon=3.6.0-1ubuntu6 
libvirt0=3.6.0-1ubuntu6
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  numad radvd auditd systemtap nfs-common zfsutils pm-utils
The following packages will be upgraded:
  libvirt-clients libvirt-daemon libvirt-daemon-system libvirt0
4 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Need to get 4058 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 
libvirt-daemon-system amd64 3.6.0-1ubuntu6 [78.5 kB]
Get:2 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 
libvirt-clients amd64 3.6.0-1ubuntu6 [587 kB]
Get:3 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 
libvirt-daemon amd64 3.6.0-1ubuntu6 [2149 kB]
Get:4 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 libvirt0 
amd64 3.6.0-1ubuntu6 [1243 kB]
Fetched 4058 kB in 1s (3440 kB/s) 
Preconfiguring packages ...
(Reading database ... 149517 files and directories currently installed.)
Preparing to unpack .../libvirt-daemon-system_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-daemon-system (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt-clients_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-clients (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt-daemon_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt-daemon (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Preparing to unpack .../libvirt0_3.6.0-1ubuntu6_amd64.deb ...
Unpacking libvirt0:amd64 (3.6.0-1ubuntu6) over (3.6.0-1ubuntu5) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up libvirt0:amd64 (3.6.0-1ubuntu6) ...
Setting up libvirt-daemon (3.6.0-1ubuntu6) ...
Processing triggers for libc-bin (2.26-0ubuntu2) ...
Processing triggers for systemd (234-2ubuntu12) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libvirt-clients (3.6.0-1ubuntu6) ...
Setting up libvirt-daemon-system (3.6.0-1ubuntu6) ...
Installing new version of config file /etc/apparmor.d/abstractions/libvirt-qemu 
...
virtlockd.service is a disabled or a static unit, not starting it.
Setting up libvirt-daemon dnsmasq configuration.
root@ubuntu:~# 
root@ubuntu:~# 
root@ubuntu:~# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     testguest                      shut off

root@ubuntu:~# virsh start testguest
Domain testguest started

The rule is correct now:

root@ubuntu:~# grep usb 
/etc/apparmor.d/libvirt/libvirt-deadbeef-dead-beef-dead-beefdeadbeef.files
"/dev/bus/usb/002/010" rw,


=> Verified

Note: since you likely came here for having issues with USB passthrough. While 
working on this I found related issues, please check the following bugs to be 
sure you not just have to add a config or so:
- bug 1727311
- bug 1727313

** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686324

Title:
  usb hostdev passthrough generates the wrong apparmor rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1686324/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to