[Bug 640993] Re: passing a usb device in maverick with apparmor enabled fails

Jamie Strandboge jamie at ubuntu.com
Fri Sep 17 14:39:04 BST 2010 

I remember the issue now. The problem is that AppArmorSetSecurityHostdevLabel() is only a stub. It is a stub because while we would want to do something like this:
    if (profile_loaded(secdef->imagelabel) >= 0) {
        if (load_profile(drv, secdef->imagelabel, vm, NULL) < 0) {
            virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                   _("cannot update AppArmor profile "
                                     "\'%s\'"),
                                   secdef->imagelabel);
            return -1;
        }
    }

we cannot because the 'vm' xml that is passed to virt-aa-helper in this
implementation does not have the new xml for the newly attached drive.
Indeed

This is not a regression over lucid since it has the same problem and karmic didn't do it either. However, in karmic the /etc/apparmor.d/abstractions/libvirt-qemu had:
  # WARNING: uncommenting these gives the guest direct access to host hardware.
  # This is required for USB pass through but is a security risk. You have been
  # warned.
  #/sys/bus/usb/devices/ r,
  #/sys/devices/*/*/usb[0-9]*/** r,
  #/dev/bus/usb/*/[0-9]* rw,

But in lucid and later we have:
  # For hostdev access. The actual devices will be added dynamically
  /sys/bus/usb/devices/ r,
  /sys/devices/*/*/usb[0-9]*/** r,

part of the functionality for hostdev access was added to virt-aa-helper in lucid and later, but clearly not enough to fully fix hostdev hot attach. So the workaround is to update /etc/apparmor.d/libvirt-qemu to have:
  /dev/bus/usb/*/[0-9]* rw,

That does give all guests access to any usb hardware of course, which is
not all that great. People can add a more specific rule to
/etc/apparmor.d/libvirt/libvirt-<uuid> (not the .files file!) to limit
access for a specific guest to a specific USB device.

** Summary changed:

- passing a usb device in maverick with apparmor enabled fails
+ USB hot attach does not work (hostdev functionality only partially implemented)

-- 
USB hot attach does not work (hostdev functionality only partially implemented)
https://bugs.launchpad.net/bugs/640993
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

More information about the Ubuntu-server-bugs mailing list