[PATCH] security: Add support for SUSE edk2 firmware paths
Jim Fehlig
jfehlig at suse.com
Thu Feb 23 18:13:28 UTC 2023
SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu.
Add support for this path in virt-aa-helper and allow locking files within
the path in the libvirt qemu abstraction.
Signed-off-by: Jim Fehlig <jfehlig at suse.com>
---
FYI, I'm fine maintaining this patch downstream if such distro-specific
change is unwanted upstream. I've already maintained the virt-aa-helper
hunk for several years.
src/security/apparmor/libvirt-qemu | 2 +-
src/security/virt-aa-helper.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index d0289b8943..9af1333b22 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -91,7 +91,7 @@
/usr/share/proll/** r,
/usr/share/qemu-efi/** r,
/usr/share/qemu-kvm/** r,
- /usr/share/qemu/** r,
+ /usr/share/qemu/** rk,
/usr/share/seabios/** r,
/usr/share/sgabios/** r,
/usr/share/slof/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f6c9703db6..d65d459850 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
"/usr/share/AAVMF/", /* for AAVMF images */
"/usr/share/qemu-efi/", /* for AAVMF images */
"/usr/share/qemu-efi-aarch64/", /* for AAVMF images */
+ "/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */
"/usr/lib/u-boot/", /* u-boot loaders for qemu */
"/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
};
--
2.39.2
More information about the libvir-list
mailing list