Ubuntu
libvirt package

  1. Bug #1515791
  2. Comment #6

Comment 6 for bug 1515791

Revision history for this message
Nahuel Greco (ngreco) wrote : Re: [Bug 1515791] [NEW] apparmor for qemu is too restrictive for USB passthrough

here is the vm's xml configuration:

<domain type='kvm' id='14'>
  <name>win7</name>
  <uuid>3c21df5e-dfef-4cf5-8e24-aeaa47235205</uuid>
  <memory unit='KiB'>5120000</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>6</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-vivid'>hvm</type>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Westmere</model>
  </cpu>
  <clock offset='localtime'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <backingStore/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-1'/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/disk2/flat2/kvm-storage1/win7.img'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <boot order='1'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <controller type='ide' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <alias name='usb'/>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <alias name='usb'/>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <alias name='usb'/>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08'
function='0x2'/>
    </controller>
    <interface type='direct'>
      <mac address='52:54:00:7f:9b:38'/>
      <source dev='enp7s0' mode='bridge'/>
      <target dev='macvtap0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
    </interface>
    <interface type='network'>
      <mac address='52:54:00:35:78:6d'/>
      <source network='default' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/32'/>
      <target port='0'/>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/32'>
      <source path='/dev/pts/32'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='5910' autoport='no' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <video>
      <model type='vga' vram='16384' heads='1'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x0'/>
    </video>
    <hostdev mode='subsystem' type='usb' managed='yes'>
      <source>
        <vendor id='0x0b4d'/>
        <product id='0x112b'/>
        <address bus='6' device='19'/>
      </source>
      <alias name='hostdev0'/>
    </hostdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
    </memballoon>
  </devices>
  <seclabel type='dynamic' model='apparmor' relabel='yes'>
    <label>libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205</label>
    <imagelabel>libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205</imagelabel>
  </seclabel>
</domain>

Saludos,
Nahuel Greco.

On Fri, Nov 13, 2015 at 6:19 PM, Serge Hallyn <email address hidden>
wrote:

> Thanks - could you show the vm's xml configuration? (i.e. result of
> virsh dumpxml vmname)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1515791
>
> Title:
> apparmor for qemu is too restrictive for USB passthrough
>
> Status in libvirt package in Ubuntu:
> Incomplete
>
> Bug description:
> When trying to use an USB printer from a QEMU guest (created with
> virt-manager) I get many apparmor errors in /var/log/kern.log, like:
>
> Nov 8 18:08:00 ombu kernel: [ 8603.301618] audit: type=1400
> audit(1447016880.250:195): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/dev/bus/usb/005/016" pid=10345 comm="qemu-system-x86"
> requested_mask="rw" denied_mask="rw" fsuid=122 ouid=122
> Nov 12 20:01:35 ombu kernel: [360670.214358] audit: type=1400
> audit(1447369295.810:1531): apparmor="DENIED" operation="open"
> profile="libvirt-3c21df5e-dfef-4cf5-8e24-aeaa47235205"
> name="/run/udev/data/c189:0" pid=8408 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=122 ouid=0
>
> The guest can't see the USB device at all. I solved the problem by
> editing /etc/apparmor.d/abstractions/libvirt-qemu changing this line:
>
> /dev/bus/usb/ r,
>
> to this:
>
> /dev/bus/usb/ rw,
>
> and adding these two lines:
>
> /dev/bus/usb/*/[0-9]* rw,
> /run/udev/** rw,
>
> And then restarting apparmor and libvirtd. I think a similar
> configuration must come included in /etc/apparmor.d/abstractions
> /libvirt-qemu by default.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 15.10
> Package: libvirt-bin 1.2.16-2ubuntu11
> Uname: Linux 4.3.0-040300-generic x86_64
> ApportVersion: 2.19.1-0ubuntu4
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Thu Nov 12 20:10:16 2015
> InstallationDate: Installed on 2015-10-30 (13 days ago)
> InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64
> (20151021)
> SourcePackage: libvirt
> UpgradeStatus: No upgrade log present (probably fresh install)
> modified.conffile..etc.apparmor.d.abstractions.libvirt.qemu: [modified]
> modified.conffile..etc.libvirt.libvirtd.conf: [modified]
> modified.conffile..etc.libvirt.qemu.conf: [inaccessible: [Errno 13]
> Permission denied: '/etc/libvirt/qemu.conf']
> modified.conffile..etc.libvirt.qemu.networks.default.xml: [inaccessible:
> [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml']
> mtime.conffile..etc.apparmor.d.abstractions.libvirt.qemu:
> 2015-11-12T20:03:10.223851
> mtime.conffile..etc.libvirt.libvirtd.conf: 2015-11-12T19:32:30.170352
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1515791/+subscriptions
>