[PATCH] virt-aa-helper: allow common riscv64 loader paths

Jim Fehlig jfehlig at suse.com
Thu Sep 29 21:30:51 UTC 2022 

On 9/28/22 06:45, christian.ehrhardt at canonical.com wrote:
> From: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> 
> Riscv64 usually uses u-boot as external -kernel and a loader from
> the open implementation of RISC-V SBI. The paths for those binaries
> as packaged in Debian and Ubuntu are in paths which are usually
> forbidden to be added by the user under /usr/lib...

Do you know if the path is configurable? Are distros free to put those binaries 
where they choose? E.g. /usr/libexec or similar?

Regards,
Jim

> 
> People used to start riscv64 guests only manually via qemu cmdline,
> but trying to encapsulate that via libvirt now causes failures when
> starting the guest due to the apparmor isolation not allowing that:
>     virt-aa-helper: error: skipped restricted file
>     virt-aa-helper: error: invalid VM definition
> 
> Explicitly allow the sub-paths used by u-boot-qemu and opensbi
> under /usr/lib/ as readonly rules.
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
>   src/security/virt-aa-helper.c | 12 +++++++-----
>   1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index f338488da3..ceadaef99b 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly)
>           "/initrd",
>           "/initrd.img",
>           "/usr/share/edk2/",
> -        "/usr/share/OVMF/",              /* for OVMF images */
> -        "/usr/share/ovmf/",              /* for OVMF images */
> -        "/usr/share/AAVMF/",             /* for AAVMF images */
> -        "/usr/share/qemu-efi/",          /* for AAVMF images */
> -        "/usr/share/qemu-efi-aarch64/"   /* for AAVMF images */
> +        "/usr/share/OVMF/",                  /* for OVMF images */
> +        "/usr/share/ovmf/",                  /* for OVMF images */
> +        "/usr/share/AAVMF/",                 /* for AAVMF images */
> +        "/usr/share/qemu-efi/",              /* for AAVMF images */
> +        "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
> +        "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
> +        "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
>       };
>       /* override the above with these */
>       const char * const override[] = {

More information about the libvir-list mailing list