Permission error with usb unix-hotplug passthrough to container on Debian 13

ostheer · April 22, 2026, 11:06am

Goal

I’m trying to get a usb device (PicoTech PicoScope 2204A) to work inside a container.

What works

On my personal PC, running Arch Linux, this works without issue:

sudo incus config device add informed-cardinal pico unix-hotplug vendorid=0ce9 productid=1007 mode=0666
# Now I have to physically re-plug the device in order for the /dev/bus node to show, but that's ok for now.
sudo incus shell informed-cardinal
$ dd if=/dev/bus/usb/008/032 bs=1 count=1  # inside container
1+0 records in
1+0 records out
1 byte copied, 2.4716e-05 s, 40.5 kB/s

The container has no further configuration. It is unprivileged.

The problem

But, when I do the same on my (pretty vanilla) Debian 13 machine, I get: dd: failed to open '/dev/bus/usb/002/016': Permission denied.

What I tried

I tried to add this raw lxc option, which is mentioned here and there on the web:

incus config set sound-katydid raw.lxc="lxc.cgroup2.devices.allow = c 189:* rwm"

The only observation is that, with that option in place, I get this error upon opening the container shell: -bash: /dev/null: Operation not permitted. Presumably the option overrides/messes up some important implicit lxc configuration.

Another thing I tried was to set lxc.apparmor.profile=unconfined, I don’t see any difference.

I also tried to make the container privileged, but this didn’t help either.
On the Debian host, the dd command does succeed.

Question

What is the difference between the Arch and Debian systems, that leads to a permission error on Debian? What do I change to get this to work?

Thanks!

stgraber · April 22, 2026, 3:42pm

Maybe AppArmor as that would be available on Debian but not on Arch?
If that’s the case, there may be something useful in dmesg.

ostheer · April 22, 2026, 4:05pm

With unprivileged container, with or without the raw.lxc lxc.apparmor.profile=unconfined option in place, when I restart the container:

[Wed Apr 22 17:59:02 2026] audit: type=1400 audit(1776873542.636:385): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus-sound-katydid_</var/lib/incus>" pid=330389 comm="apparmor_parser"
[Wed Apr 22 17:59:03 2026] audit: type=1400 audit(1776873542.972:386): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus-sound-katydid_</var/lib/incus>" pid=330679 comm="apparmor_parser"

No further messages when I try to attempt to dd, or when I replug the device.

Starting a privileged container results in these messages in dmesg:

[Wed Apr 22 18:00:01 2026] audit: type=1400 audit(1776873601.244:387): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="incus-sound-katydid_</var/lib/incus>" pid=331343 comm="apparmor_parser"
[Wed Apr 22 18:00:01 2026] audit: type=1400 audit(1776873601.628:388): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus-sound-katydid_</var/lib/incus>" pid=331623 comm="apparmor_parser"
[Wed Apr 22 18:00:02 2026] audit: type=1400 audit(1776873601.992:389): apparmor="DENIED" operation="mount" class="mount" info="failed type match" error=-13 profile="incus-sound-katydid_</var/lib/incus>" name="/dev/.incus-systemd-credentials/" pid=331651 comm="(sd-gens)" flags="ro, remount, bind"
[Wed Apr 22 18:00:02 2026] audit: type=1400 audit(1776873601.992:390): apparmor="DENIED" operation="mount" class="mount" info="failed type match" error=-13 profile="incus-sound-katydid_</var/lib/incus>" name="/dev/pts/" pid=331651 comm="(sd-gens)" flags="ro, nosuid, noexec, remount, bind"
[Wed Apr 22 18:00:02 2026] audit: type=1400 audit(1776873601.992:391): apparmor="DENIED" operation="mount" class="mount" info="failed type match" error=-13 profile="incus-sound-katydid_</var/lib/incus>" name="/dev/" pid=331651 comm="(sd-gens)" flags="ro, remount, bind"
[Wed Apr 22 18:00:02 2026] audit: type=1400 audit(1776873601.992:392): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="incus-sound-katydid_</var/lib/incus>" name="/" pid=331651 comm="(sd-gens)" flags="ro, remount, bind"
[Wed Apr 22 18:00:02 2026] audit: type=1400 audit(1776873602.284:393): apparmor="DENIED" operation="mount" class="mount" info="failed type match" error=-13 profile="incus-sound-katydid_</var/lib/incus>" name="/tmp/" pid=331734 comm="mount" flags="rw, move"

When I create a new container: sudo incus launch images:debian/trixie, without any customization (the default profile is not modified either), I also get the same: apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus-moving-ibex_</var/lib/incus>" pid=332684 comm="apparmor_parser".

So, only when starting a privileged container does anything get DENIED. But, I get the permission denied with both priv and unpriv.
Is there any further AppArmor configuration I could change or test with?

Thank you!

NB.
I’m using your zabbly-incus-stable.sources repo, so version 6.23 now.