security: AppArmor allow write when os loader readonly=no

Since libvirt commit 3ef9b51b10e52886e8fe8d75e36d0714957616b7,
the pflash storage for the os loader file follows its read-only flag,
and qemu tries to open the file for writing if set so.

This patches virt-aa-helper to generate the VM's AppArmor rules
that allow this, using the same domain definition flag and default.

Signed-off-by: Miroslav Los <mirlos@cisco.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index c1e89dc6cf867f39c3265d966db25dc515cf794c..4d2b8ac4abe1b26003f8510321ced4657899b881 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1002,9 +1002,14 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
             goto cleanup;
 
-    if (ctl->def->os.loader && ctl->def->os.loader->path)
-        if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
+    if (ctl->def->os.loader && ctl->def->os.loader->path) {
+        bool readonly = false;
+        virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (vah_add_file(&buf,
+                         ctl->def->os.loader->path,
+                         readonly ? "rk" : "rwk") != 0)
             goto cleanup;
+    }
 
     if (ctl->def->os.loader && ctl->def->os.loader->nvram) {
         if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)