Affected by this as well. I have libvirt vms on a system that was upgraded from 14.04 that fail on 16.04 due to updated apparmor settings.
I'm trying to pass a USB dongle through to a windows instance:
<hostdev mode='subsystem' type='usb' managed='yes'> <source> <vendor id='0x04b9'/> <product id='0x0300'/> </source> </hostdev>
This was added years ago, probably through the libvirt gui.
Relevant Logs: Apr 24 04:24:46 phantom-ssd kernel: [682883.819567] audit: type=1400 audit(1493033086.602:277): apparmor="DENIED" operation="open" profile="libvirt-b702ed58-3a9c-77bc-7e52-bcc8053192a4" name="/run/udev/data/c189:1" pid=27849 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Apr 24 04:24:46 phantom-ssd kernel: [682883.819697] audit: type=1400 audit(1493033086.602:278): apparmor="DENIED" operation="open" profile="libvirt-b702ed58-3a9c-77bc-7e52-bcc8053192a4" name="/run/udev/data/c189:129" pid=27849 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Apr 24 04:24:46 phantom-ssd kernel: [682883.819815] audit: type=1400 audit(1493033086.602:279): apparmor="DENIED" operation="open" profile="libvirt-b702ed58-3a9c-77bc-7e52-bcc8053192a4" name="/run/udev/data/c189:0" pid=27849 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Apr 24 04:24:46 phantom-ssd kernel: [682883.819934] audit: type=1400 audit(1493033086.602:280): apparmor="DENIED" operation="open" profile="libvirt-b702ed58-3a9c-77bc-7e52-bcc8053192a4" name="/run/udev/data/c189:128" pid=27849 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 Apr 24 04:24:46 phantom-ssd kernel: [682883.820120] audit: type=1400 audit(1493033086.602:281): apparmor="DENIED" operation="open" profile="libvirt-b702ed58-3a9c-77bc-7e52-bcc8053192a4" name="/run/udev/data/c189:256" pid=27849 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
I've tried being selective about what's allowed, e.g. /run/udev/data/c189*, but then windows fails when it tries to enumerate the USB entries, /run/udev/data/+usb*
Affected by this as well. I have libvirt vms on a system that was upgraded from 14.04 that fail on 16.04 due to updated apparmor settings.
I'm trying to pass a USB dongle through to a windows instance:
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<vendor id='0x04b9'/>
<product id='0x0300'/>
</source>
</hostdev>
This was added years ago, probably through the libvirt gui.
Relevant Logs: 6.602:277) : apparmor="DENIED" operation="open" profile= "libvirt- b702ed58- 3a9c-77bc- 7e52-bcc8053192 a4" name="/ run/udev/ data/c189: 1" pid=27849 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 6.602:278) : apparmor="DENIED" operation="open" profile= "libvirt- b702ed58- 3a9c-77bc- 7e52-bcc8053192 a4" name="/ run/udev/ data/c189: 129" pid=27849 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 6.602:279) : apparmor="DENIED" operation="open" profile= "libvirt- b702ed58- 3a9c-77bc- 7e52-bcc8053192 a4" name="/ run/udev/ data/c189: 0" pid=27849 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 6.602:280) : apparmor="DENIED" operation="open" profile= "libvirt- b702ed58- 3a9c-77bc- 7e52-bcc8053192 a4" name="/ run/udev/ data/c189: 128" pid=27849 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0 6.602:281) : apparmor="DENIED" operation="open" profile= "libvirt- b702ed58- 3a9c-77bc- 7e52-bcc8053192 a4" name="/ run/udev/ data/c189: 256" pid=27849 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=119 ouid=0
Apr 24 04:24:46 phantom-ssd kernel: [682883.819567] audit: type=1400 audit(149303308
Apr 24 04:24:46 phantom-ssd kernel: [682883.819697] audit: type=1400 audit(149303308
Apr 24 04:24:46 phantom-ssd kernel: [682883.819815] audit: type=1400 audit(149303308
Apr 24 04:24:46 phantom-ssd kernel: [682883.819934] audit: type=1400 audit(149303308
Apr 24 04:24:46 phantom-ssd kernel: [682883.820120] audit: type=1400 audit(149303308
I've tried being selective about what's allowed, e.g. /run/udev/ data/c189* , but then windows fails when it tries to enumerate the USB entries, /run/udev/ data/+usb*