]> git.ipfire.org Git - thirdparty/libvirt.git/commitdiff
projects / thirdparty / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d6245e3)
virt-aa-helper: allow common riscv64 loader paths
authorChristian Ehrhardt <christian.ehrhardt@canonical.com>
Tue, 27 Sep 2022 09:03:07 +0000 (11:03 +0200)
committerChristian Ehrhardt <christian.ehrhardt@canonical.com>
Tue, 4 Oct 2022 06:22:09 +0000 (08:22 +0200)
Riscv64 usually uses u-boot as external -kernel and a loader from
the open implementation of RISC-V SBI. The paths for those binaries
as packaged in Debian and Ubuntu are in paths which are usually
forbidden to be added by the user under /usr/lib...

People used to start riscv64 guests only manually via qemu cmdline,
but trying to encapsulate that via libvirt now causes failures when
starting the guest due to the apparmor isolation not allowing that:
   virt-aa-helper: error: skipped restricted file
   virt-aa-helper: error: invalid VM definition

Explicitly allow the sub-paths used by u-boot-qemu and opensbi
under /usr/lib/ as readonly rules.

Fixes: https://launchpad.net/bugs/1990499
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
src/security/virt-aa-helper.c patch | blob | blame | history

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f338488da3cd9df3c66a6fd7eb88d826f6c65170..ceadaef99b732c4da9f039c9a25d2f91f3ba2943 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly)
         "/initrd",
         "/initrd.img",
         "/usr/share/edk2/",
-        "/usr/share/OVMF/",              /* for OVMF images */
-        "/usr/share/ovmf/",              /* for OVMF images */
-        "/usr/share/AAVMF/",             /* for AAVMF images */
-        "/usr/share/qemu-efi/",          /* for AAVMF images */
-        "/usr/share/qemu-efi-aarch64/"   /* for AAVMF images */
+        "/usr/share/OVMF/",                  /* for OVMF images */
+        "/usr/share/ovmf/",                  /* for OVMF images */
+        "/usr/share/AAVMF/",                 /* for AAVMF images */
+        "/usr/share/qemu-efi/",              /* for AAVMF images */
+        "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
+        "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
+        "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
     };
     /* override the above with these */
     const char * const override[] = {
Mirror of https://github.com/libvirt/libvirt.git