diff -Nru libvirt-3.6.0/debian/changelog libvirt-3.6.0/debian/changelog
--- libvirt-3.6.0/debian/changelog	2017-10-11 14:03:19.000000000 +0000
+++ libvirt-3.6.0/debian/changelog	2017-10-24 15:16:24.000000000 +0000
@@ -1,3 +1,14 @@
+libvirt (3.6.0-1ubuntu6) artful; urgency=medium
+
+  * d/p/ubuntu-aa/0037-virt-aa-helper...: grant locking permission on append
+    files (LP: #1726804)
+  * d/p/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch:
+    fix path generation for USB host devices (LP: #1552241)
+  * d/p/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch:
+    generate valid rules on usb passthrough (LP: #1686324)
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 24 Oct 2017 14:30:34 +0200
+
 libvirt (3.6.0-1ubuntu5) artful; urgency=medium
 
   * d/p/u/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch:
diff -Nru libvirt-3.6.0/debian/patches/series libvirt-3.6.0/debian/patches/series
--- libvirt-3.6.0/debian/patches/series	2017-10-11 14:03:06.000000000 +0000
+++ libvirt-3.6.0/debian/patches/series	2017-10-24 15:16:24.000000000 +0000
@@ -69,3 +69,6 @@
 ubuntu-aa/0036-virt-aa-helper-locking-loader-nvram-for-qemu-2.10.patch
 avoid-double-locking.patch
 ubuntu/gnulib-getopt-posix-Fix-build-failure-when-using-ac_cv_head.patch
+ubuntu-aa/0037-virt-aa-helper-grant-locking-permission-on-append-files.patch
+ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch
+ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch
diff -Nru libvirt-3.6.0/debian/patches/ubuntu-aa/0037-virt-aa-helper-grant-locking-permission-on-append-files.patch libvirt-3.6.0/debian/patches/ubuntu-aa/0037-virt-aa-helper-grant-locking-permission-on-append-files.patch
--- libvirt-3.6.0/debian/patches/ubuntu-aa/0037-virt-aa-helper-grant-locking-permission-on-append-files.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-3.6.0/debian/patches/ubuntu-aa/0037-virt-aa-helper-grant-locking-permission-on-append-files.patch	2017-10-24 14:57:15.000000000 +0000
@@ -0,0 +1,47 @@
+From 0b21b9d24e1e5b6c05dd7851d3002fb4308f2aa1 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Tue, 24 Oct 2017 14:18:53 +0200
+Subject: [PATCH] virt-aa-helper: grnat locking permission on appended files
+
+Hot-adding disk devices does not parse the full XML to generate apparmor
+rules. Instead it uses -f <PATH> to append a generic rule for that path.
+
+580cdaa7: "virt-aa-helper: locking disk files for qemu 2.10" implemented
+the qemu 2.10 requirement to allow locking for disks that are part of
+the domain xml.
+
+But on attach-device a user will still trigger an apparmor deny like:
+  error: internal error: unable to execute QEMU command 'device_add':
+  Property 'virtio-blk-device.drive' can't find value 'drive-virtio-disk2'
+
+Therefore add the lock "k" permission to the append call to fix hot-add.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+---
+ src/security/virt-aa-helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Forwarded: yes (https://www.redhat.com/archives/libvir-list/2017-October/msg01096.html)
+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1726804
+Last-Update: 2017-10-24
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -1152,7 +1152,7 @@ get_files(vahControl * ctl)
+     }
+ 
+     if (ctl->newfile)
+-        if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
++        if (vah_add_file(&buf, ctl->newfile, "rwk") != 0)
+             goto cleanup;
+ 
+     if (virBufferError(&buf)) {
+@@ -1336,7 +1336,7 @@ main(int argc, char **argv)
+             vah_error(ctl, 1, _("profile exists"));
+ 
+         if (ctl->append && ctl->newfile) {
+-            if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
++            if (vah_add_file(&buf, ctl->newfile, "rwk") != 0)
+                 goto cleanup;
+         } else {
+             if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU ||
diff -Nru libvirt-3.6.0/debian/patches/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch libvirt-3.6.0/debian/patches/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch
--- libvirt-3.6.0/debian/patches/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-3.6.0/debian/patches/ubuntu-aa/0038-virt-aa-helper-fix-paths-for-usb-hostdevs.patch	2017-10-24 14:57:23.000000000 +0000
@@ -0,0 +1,66 @@
+From 750e08443a7b07324d75b4c7648b15a9d77b124e Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Wed, 20 Sep 2017 16:59:06 +0200
+Subject: virt-aa-helper: fix paths for usb hostdevs
+
+If users only specified vendor&product (the common case) then parsing
+the xml via virDomainHostdevSubsysUSBDefParseXML would only set these.
+Bus and Device would much later be added when the devices are prepared
+to be added.
+
+Due to that a hot-add of a usb hostdev works as the device is prepared
+and virt-aa-helper processes the new internal xml. But on an initial
+guest start at the time virt-aa-helper renders the apparmor rules the
+bus/device id's are not set yet:
+
+p ctl->def->hostdevs[0]->source.subsys.u.usb
+$12 = {autoAddress = false, bus = 0, device = 0, vendor = 1921, product
+= 21888}
+
+That causes rules to be wrong:
+  "/dev/bus/usb/000/000" rw,
+
+The fix calls virHostdevFindUSBDevice after reading the XML from
+virt-aa-helper to only add apparmor rules for devices that could be found
+and now are fully known to be able to write the rule correctly.
+
+It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as
+adding an apparmor rule for a device not found makes no sense no matter
+what startup policy it has set.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+---
+ src/security/virt-aa-helper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Forwarded: no (backport)
+Origin: https://libvirt.org/git/?p=libvirt.git;a=commit;h=750e08443a7b07324d75b4c7648b15a9d77b124e
+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1552241
+Last-Update: 2017-10-24
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 7944dc1..d1518ea 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -55,6 +55,7 @@
+ #include "virrandom.h"
+ #include "virstring.h"
+ #include "virgettext.h"
++#include "virhostdev.h"
+ 
+ #include "storage/storage_source.h"
+ 
+@@ -1069,6 +1070,9 @@ get_files(vahControl * ctl)
+                 if (usb == NULL)
+                     continue;
+ 
++                if (virHostdevFindUSBDevice(dev, true, &usb) < 0)
++                    continue;
++
+                 rc = virUSBDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf);
+                 virUSBDeviceFree(usb);
+                 if (rc != 0)
+-- 
+2.7.4
+
diff -Nru libvirt-3.6.0/debian/patches/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch libvirt-3.6.0/debian/patches/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch
--- libvirt-3.6.0/debian/patches/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-3.6.0/debian/patches/ubuntu-aa/0039-virt-aa-helper-fix-libusb-access-to-udev-usb-data.patch	2017-10-24 14:57:25.000000000 +0000
@@ -0,0 +1,45 @@
+From bf3a4140877299cf351821518d269bcd4888f2f1 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Wed, 20 Sep 2017 16:59:07 +0200
+Subject: virt-aa-helper: fix libusb access to udev usb data
+
+libusb as used by qemu needs to read data from /run/udev/data/ about usb
+devices. That is read once on the first initialization of libusb_init by
+qemu.
+
+Therefore generating just the device we need would not be sufficient as
+another hotplug later can need another device which would fail as the
+data is no more re-read at this point.
+
+But we can restrict the paths very much to just the major number of
+potential usb devices which will make it match approximately the detail
+that e.g. an lsusb -v would reveal - that is much safer than the
+"/run/udev/data/* r" blanket many users are using now as a workaround.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+---
+ examples/apparmor/libvirt-qemu | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Forwarded: no (backport)
+Origin: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf3a4140877299cf351821518d269bcd4888f2f1
+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686324
+Last-Update: 2017-10-24
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index dcfb1a5..b341e31 100644
+--- a/examples/apparmor/libvirt-qemu
++++ b/examples/apparmor/libvirt-qemu
+@@ -29,6 +29,9 @@
+   # For hostdev access. The actual devices will be added dynamically
+   /sys/bus/usb/devices/ r,
+   /sys/devices/**/usb[0-9]*/** r,
++  # libusb needs udev data about usb devices (~equal to content of lsusb -v)
++  /run/udev/data/c16[6,7]* r,
++  /run/udev/data/c18[0,8,9]* r,
+ 
+   # WARNING: this gives the guest direct access to host hardware and specific
+   # portions of shared memory. This is required for sound using ALSA with kvm,
+-- 
+2.7.4
+