[Bug 545795] Re: apparmor driver blocks access to hostdev and pcidev devices
Andreas Ntaflos
daff at dword.org
Mon May 3 18:49:58 BST 2010
I'm sorry to post to this bug that has a status of "Fix released" but I
am not sure it is really fixed. I have a situation similar too the
original poster's concerning a USB card reader that won't make it past
AppArmor it seems. Using libvirt-bin 0.7.5-5ubuntu27.
Situation: one of our servers was upgraded from Ubuntu 9.10 to 10.04
today. The server runs a few Ubuntu 9.10 VMs, nothing fancy or out of
the ordinary. These VMs were defined and installed a few weeks ago,
prior to the release of and update to Ubuntu 10.04 (if that matters at
all).
We've had problems with AppArmor and Libvirt/KVM before so we disabled
AppArmor and pass-through of the USB card readers worked fine this way.
This situation was not ideal from a security point-of-view but since the
host and guests are strictly for internal test and development purposes
we went with it. Now I see that a lot has happened with regards to
AppArmor, USB and PCI pass-through and Libvirt, so tried again enabling
AppArmor. Alas, when starting a VM dmesg and /var/log/kern.log show
these entries, repeating every second it seems:
May 3 19:44:18 TESTHOST kernel: [ 2407.509182] type=1503
audit(1272908658.618:785): operation="open" pid=1532 parent=1 profile
="libvirt-959806d1-327a-cd14-6b3f-ddeee8a19d0e" requested_mask="r::"
denied_mask="r::" fsuid=0 ouid=0
name="/sys/devices/pci0000:00/0000:00:1e.0/0000:01:04.4/usb6/devnum"
The guest of course does not get to see anything of the USB device in
question. Please find the XML definition of the guest in question here:
https://daff.pseudoterminal.org/files/vm-usb.txt
After disabling AppArmor (/etc/init.d/apparmor stop) the USB device is
again visible in the guest.
Why would this happen? The file /etc/apparmor.d/usr.lib.libvirt.virt-aa-
helper explicitly states that access to /sys/devices/** should be
allowed. Am I missing anything? I can experiment and run tests on this
server for the next week or so, so please tell me if I can help
debugging anything.
--
apparmor driver blocks access to hostdev and pcidev devices
https://bugs.launchpad.net/bugs/545795
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
More information about the Ubuntu-server-bugs
mailing list