[Pkg-libvirt-maintainers] Bug#846534: libvirt-daemon-system: VM with usb host device fails to start when apparmor is enabled

intrigeri intrigeri at debian.org
Mon Jan 15 06:30:57 UTC 2018 

Control: tag -1 + fixed-upstream

Hi,

Kjö Hansi Glaz:
> libvirtError: internal error: qemu unexpectedly closed the monitor: 2016-12-01T22:30:29.196276Z qemu-system-x86_64: -device usb-host,hostbus=3,hostaddr=5,id=hostdev0,bus=usb.0,port=4: failed to find host usb device 3:5

For the record I can reproduce this on current sid:

  $ virsh start tails-dev 
  error: Failed to start domain tails-dev
  error: internal error: qemu unexpectedly closed the monitor: libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/002/007: Permission denied
  libusb: error [_get_usbfs_fd] libusb requires write access to USB device nodes.
  2018-01-15T06:18:24.202580Z qemu-system-x86_64: -device usb-host,hostbus=2,hostaddr=7,id=hostdev0,bootindex=2,bus=usb.0,port=3: failed to open host usb device 2:7

>    * System log when starting the VM:

Here's what I see now:

  Jan 15 07:16:45 ensifera audit[21964]: AVC apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/sys/bus/usb/devices/" pid=21964 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Jan 15 07:16:45 ensifera audit[21966]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" pid=21966 comm="apparmor_parser"
  Jan 15 07:16:45 ensifera audit[21968]: AVC apparmor="DENIED" operation="open" profile="virt-aa-helper" name="/sys/bus/usb/devices/" pid=21968 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  Jan 15 07:16:45 ensifera audit[21980]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" pid=21980 comm="apparmor_parser"
  Jan 15 07:16:46 ensifera audit[21984]: AVC apparmor="DENIED" operation="open" profile="libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef" name="/dev/bus/usb/002/007" pid=21984 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=119 ouid=119

My guess was that virt-aa-helper tries to read the info it
needs to add the relevant USB device nodes to $profile.files, which
explains the VM is actually forbidden to access them.

And indeed, if I add this line to
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:

  /sys/bus/usb/devices/ r,

… then virt-aa-helper successfully adds that line to
/etc/apparmor.d/libvirt/libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef.files:

  "/dev/bus/usb/002/007" rw,

… and the VM starts just fine.

This change was already applied upstream (commit
59249778705693e54df21710116ae213b194fa50) so we'll get it once the
latest release is packaged for Debian.

Cheers,
-- 
intrigeri

More information about the Pkg-libvirt-maintainers mailing list