USB passthrough - virt-aa-helper must grant /run/udev/data/ r

Thanks for reporting this bug.

Can you tell use exactly how you told virt-manager about the printer? For other types of usb devices (like an ereader) this has definately created the needed rules for me.

Adding a blanket '/run/udev/** rw' rule would not be safe, but we should be able to find a way to add the needed rules through virt-aa-helper.

 status: incomplete
 priority: medium

I simply clicked on "Add Hardware" -> "USB Host Device" and clicked on the
USB printer (a Silhouette Cameo 2, not really a printer but a plotter).

Saludos,
Nahuel Greco.

On Fri, Nov 13, 2015 at 5:14 PM, Serge Hallyn <email address hidden>
wrote:

> Thanks for reporting this bug.
>
> Can you tell use exactly how you told virt-manager about the printer?
> For other types of usb devices (like an ereader) this has definately
> created the needed rules for me.
>
> Adding a blanket '/run/udev/** rw' rule would not be safe, but we should
> be able to find a way to add the needed rules through virt-aa-helper.
>
> status: incomplete
> priority: medium
>
>
> ** Changed in: libvirt (Ubuntu)
> Importance: Undecided => Medium
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1515791
>
> Title:
> apparmor for qemu is too restrictive for USB passthrough
>
> Status in libvirt package in Ubuntu:
> Incomplete
>
> Bug description:
> When trying to use an USB printer from a QEMU guest (created with
> virt-manager) I get many apparmor errors in /var/log/kern.log, like:
>
> Nov 8 18:08:00 ombu kernel: [ 8603.301618] audit: type=1400
> audit(1447016880.250:195): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/dev/bus/usb/005/016" pid=10345 comm="qemu-system-x86"
> requested_mask="rw" denied_mask="rw" fsuid=122 ouid=122
> Nov 12 20:01:35 ombu kernel: [360670.214358] audit: type=1400
> audit(1447369295.810:1531): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/run/udev/data/c189:0" pid=8408 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=122 ouid=0
>
> The guest can't see the USB device at all. I solved the problem by
> editing /etc/apparmor.d/abstractions/libvirt-qemu changing this line:
>
> /dev/bus/usb/ r,
>
> to this:
>
> /dev/bus/usb/ rw,
>
> and adding these two lines:
>
> /dev/bus/usb/*/[0-9]* rw,
> /run/udev/** rw,
>
> And then restarting apparmor and libvirtd. I think a similar
> configuration must come included in /etc/apparmor.d/abstractions
> /libvirt-qemu by default.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 15.10
> Package: libvirt-bin 1.2.16-2ubuntu11
> Uname: Linux 4.3.0-040300-generic x86_64
> ApportVersion: 2.19.1-0ubuntu4
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Thu Nov 12 20:10:16 2015
> InstallationDate: Installed on 2015-10-30 (13 days ago)
> InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64
> (20151021)
> SourcePackage: libvirt
> UpgradeStatus: No upgrade log present (probably fresh install)
> modified.conffile..etc.apparmor.d.abstractions.libvirt.qemu: [modified]
> modified.conffile..etc.libvirt.libvirtd.conf: [modified]
> modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13]
> Permission denied: '/etc/libvirt/qemu.conf']
> modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible:
> [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']
> mtime.conffile..etc.apparmor.d.abstractions.libv...

Thanks - could you show the vm's xml configuration? (i.e. result of
virsh dumpxml vmname)

I have this exact same issue, and this workaround does in fact work.

<domain type='kvm' id='4'>
  <name>Windows-COE</name>
  <uuid>d994a682-2369-f82b-4592-fc4705b4dc2b</uuid>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>6</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <sysinfo type='smbios'>
    <bios>
      <entry name='vendor'>Hewlett-Packard</entry>
    </bios>
    <system>
      <entry name='manufacturer'>Hewlett-Packard</entry>
      <entry name='product'>HP Z420 Workstation</entry>
      <entry name='serial'>2UA3111WCH</entry>
    </system>
  </sysinfo>
  <os>
    <type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
    <boot dev='cdrom'/>
    <boot dev='hd'/>
    <smbios mode='sysinfo'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='localtime'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm-spice</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/Windows-COE.img'/>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <controller type='ccid' index='0'>
      <alias name='ccid0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:fb:20:90'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet1'/>
      <model type='rtl8139'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/14'/>
      <target port='0'/>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/14'>
      <source path='/dev/pts/14'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>...

here is the vm's xml configuration:

<domain type='kvm' id='14'>
  <name>win7</name>
  <uuid>3c21df5e-dfef-4cf5-8e24-aeaa47235205</uuid>
  <memory unit='KiB'>5120000</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>6</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-vivid'>hvm</type>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Westmere</model>
  </cpu>
  <clock offset='localtime'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/disk2/flat2/kvm-storage1/win7.img'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <boot order='1'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <alias name='usb'/>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <alias name='usb'/>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <alias name='usb'/>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x2'/>
    </controller>
    <interface type='direct'>
      <mac address='52:54:00:7f:9b:38'/>
      <source dev='enp7s0' mode='bridge'/>
      <target dev='macvtap0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
    </interface>
    <interface type='network'>
      <mac address='52:54:00:35:78:6d'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio...

I can't seem to reproduce this here.

Could you please reproduce this with a new VM, then show

1. dpkg -l | grep libvirt-bin
2. virsh dumpxml $vm
3. cat /etc/apparmor.d/libvirt/libvirt-${uuid}.files where uuid is the <uuid> entry you see in the output of (2)
4. cat /var/log/libvirt/qemu/${vm}.log
5. either 'grep DENIED /var/log/syslog | tail -100' or 'journalctl | grep DENIED | tail -100' (whichever works, depending on your init)

[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]

Hi,
I have the same issue.

host (fragment of syslog):
$sudo less /var/log/syslog
Mar 5 16:54:33 hostname kernel: [ 512.162587] audit: type=1400 audit(1457193273.817:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-99917005-9251-4ea3-9e72-946b42061df1" pid=2762 comm="apparmor_parser"
Mar 5 16:54:33 hostname kernel: [ 512.173929] audit: type=1400 audit(1457193273.829:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="qemu_bridge_helper" pid=2762 comm="apparmor_parser"
Mar 5 16:54:33 hostname kernel: [ 512.282083] audit: type=1400 audit(1457193273.937:64): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:1" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282160] audit: type=1400 audit(1457193273.937:65): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:257" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282232] audit: type=1400 audit(1457193273.937:66): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:385" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282302] audit: type=1400 audit(1457193273.937:67): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:0" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282371] audit: type=1400 audit(1457193273.937:68): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:128" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Mar 5 16:54:33 hostname kernel: [ 512.282437] audit: type=1400 audit(1457193273.937:69): apparmor="DENIED" operation="open" profile="libvirt-99917005-9251-4ea3-9e72-946b42061df1" name="/run/udev/data/c189:256" pid=2764 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=120 ouid=0

guest (no passthrough of usb device):
$lsusb
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 0409:55aa NEC Corp. Hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

host (aa-complain of libvirtd and vm) + fragment of syslog
$sudo aa-complain /usr/sbin/libvirtd
$sudo aa-complain /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1

$sudo less /var/log/syslog
Mar 5 16:29:50 hostname kernel: [ 435.105616] audit: type=1400 audit(1457191790.367:32): apparmor="STATUS" operation="profile_replace" profile="unconfined" ...

Hi,

could you please show the contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1 ?

virt-aa-helper *is* supposed to be adding an rw entry for each usb file for hostdevs being added (through file_iterate_hostdev_cb()), so I'm wondering which file isn't being handled and why.

The contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1:
=======================================================================
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-99917005-9251-4ea3-9e72-946b42061df1 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1.files>

}
=======================================================================
The contents of /etc/apparmor.d/libvirt/libvirt-99917005-9251-4ea3-9e72-946b42061df1.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/fedora20.log" w,
  "/var/lib/libvirt/**/fedora20.monitor" rw,
  "/var/run/libvirt/**/fedora20.pid" rwk,
  "/run/libvirt/**/fedora20.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.fedora20" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.fedora20" rw,
  "/vm/fedora/fed.qcow2" rw,
  "/var/lib/libvirt/qemu/channel/target/fedora20.org.qemu.guest_agent.0" rw,
  "/dev/bus/usb/004/003" rw,
  /dev/vhost-net rw,
  "/dev/net/tun" rw,
=======================================================================
Only a line for /dev/bus/usb/..., but no line for /run/udev/data/...

By the way; the line "/dev/bus/usb/*/[0-9]* rw," has always been in "/etc/apparmor.d/abstractions/libvirt-qemu" but for some reason removed from Wily Werewolf and in the line "/dev/bus/usb/ rw,", the mentioned "rw" is not required "r" is enough as per default. So only something for /run/udev/data/... is needed.

Hi Serge, will this issue be solved in Xenial Xerus (16.04)?

Probably in an SRU. How to properly fix it is not yet clear to me.

FYI,

Today upgraded to Xenial Xerus (16.04). While waiting for a solution for this issue, added

/run/udev/data/** r,

to /etc/apparmor.d/abstractions/libvirt-qemu

Thank you @ngreco & @lj-keus for the information. It was a lot easier finding the solution with your help.

This week upgraded to Yakkety Yak (16.10). Problem still not(!) solved, I am very disappointed.
@Serge, Richard: What is the status of the solution?

I had to add the following lines to /etc/apparmor.d/abstractions/libvirt-qemu on Ubuntu 16.10.

  /run/udev/data/** r,
  /dev/bus/usb/*/[0-9]* rw,

I have the same issue, that can be easily hotfixed by editing apparmor's rules or by disabling it, anyway when the machine tries to access the USB device a kernel null ptr deference occurs.

My setup is a vanilla Ubuntu 16.04.1 LTS with libvirt and a virtual print server (Ubuntu 16.04.1 LTS too) I'm tring to pass an USB multifunction printer (a Samsung SCX B/W laser printer).

I added to /etc/apparmor.d/abstractions/libvirt-qemu:

  /run/udev/data/** r,
  /dev/bus/usb/*/[0-9]* rw,

When the machine starts I get a kernel OOP:

[79766.096875] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79766.524927] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79767.252785] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79768.478231] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[79768.478253] IP: [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478266] PGD 0
[79768.478272] Oops: 0000 [#1] SMP
[79768.478280] Modules linked in: vhost_net vhost macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables snd_hda_codec_hdmi gpio_ich ppdev snd_hda_codec_realtek snd_hda_codec_generic bridge stp llc snd_hda_intel snd_hda_codec coretemp serio_raw snd_hda_core snd_hwdep snd_pcm usblp snd_timer lpc_ich input_leds snd shpchp soundcore i7core_edac winbond_cir edac_core i5500_temp rc_core 8250_fintek parport_pc mac_hid parport kvm_intel kvm irqbypass ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs drbg
[79768.478471] ansi_cprng xts gf128mul algif_skcipher af_alg dm_crypt raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 multipath linear raid0 pata_acpi hid_generic usbhid hid raid10 pata_marvell uas usb_storage nouveau mxm_wmi wmi video i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect firewire_ohci sysimgblt psmouse fb_sys_fops e1000e firewire_core mvsas ahci ptp drm crc_itu_t libahci libsas pps_core scsi_transport_sas fjes
[79768.478599] CPU: 2 PID: 23232 Comm: qemu-system-x86 Tainted: G I 4.4.0-53-generic #74-Ubuntu
[79768.478610] Hardware name: /DX58SO, BIOS SOX5810J.86A.2127.2008.0914.1638 09/14/2008
[79768.478620] task: ffff88041b314b00 ti: ffff880004634000 task.ti: ffff880004634000
[79768.478629] RIP: 0010:[<ffffffff81610c96>] [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478641] RSP: 0018:ffff880004637d18 EFLAGS: 00010202
[79768.478648] RAX: 0000000000000020 RBX: 00000000000000a1 RCX: 0000000000000100
[79768.478657] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[79768.478665] RBP: ffff880004637d60 R08: 0000000000000006 R09: ffff88041ec03e00
[79768.478673] R10: ffff88041ce0d800 R11: ffff880416c98000 R12: 0000000000000100
[79768.478682] R13: ffff8800359b00c0 R14: 0000000000000000 R15: ffff880004637e20
[79768.478691] FS: 00007f0b8b799700(0000) GS:ffff88041f280000(0...

@Francesco Ongaro:

That appears to be another issue, unrelated to the bug in the description. Also supported by the amount of people that have reported success on this with the workaround. I suspect it is related to the hardware you're using. Please open a new bug report instead, I'd say.

In my case, just adding `/run/udev/data/** r,` into /etc/apparmor.d/libvirt/TEMPLATE.qemu worked for me.

I encountered the same problem with a built-in camera on my laptop running 17.04. I needed to add both of the following lines to /etc/apparmor.d/abstractions/libvirt-qemu

/dev/bus/usb/001/003 rw,
/run/udev/data/** r,

In my case, the camera is USB device 1-3.

Hi,
trying to get these bugs together there is the related bug 1686324 which is why e.g. smlerman had to add the /dev/bus/usb/001/003 rw - this should actually be generated by virt-aa-helper but is failing on guests start. It works on usb hot plug, but needs to be solved.

For the other part I agree that "/run/udev/data/** r" is a workaround for those who opt in, but essentially needs proper virt-aa-helper coding to just open up what is needed.
To focus reports I'll dup this onto bug 1552241.