From e0dc60b804ebb3892b08cedb317c3846ddf36fbd7f437b27c285730bd85c1611 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Thu, 2 Mar 2023 23:20:42 +0000 Subject: [PATCH] - Apparmor: Add support for SUSE edk2 firmware paths 4959490e-support-SUSE-edk2-firmware-paths.patch boo#1208567 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=969 --- ...90e-support-SUSE-edk2-firmware-paths.patch | 46 +++++++++++++++++++ libvirt.changes | 7 +++ libvirt.spec | 1 + 3 files changed, 54 insertions(+) create mode 100644 4959490e-support-SUSE-edk2-firmware-paths.patch diff --git a/4959490e-support-SUSE-edk2-firmware-paths.patch b/4959490e-support-SUSE-edk2-firmware-paths.patch new file mode 100644 index 0000000..1deeef2 --- /dev/null +++ b/4959490e-support-SUSE-edk2-firmware-paths.patch @@ -0,0 +1,46 @@ +From 4959490ed1356b8779868cfe16775ef5aef3cab7 Mon Sep 17 00:00:00 2001 +From: Jim Fehlig +Date: Thu, 23 Feb 2023 11:02:46 -0700 +Subject: [PATCH] security: Add support for SUSE edk2 firmware paths + +SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu. +Add support for this path in virt-aa-helper and allow locking files within +the path in the libvirt qemu abstraction. + +Signed-off-by: Jim Fehlig +Reviewed-by: Michal Privoznik +Reviewed-by: Andrea Bolognani +(cherry picked from commit b94a82ce9a3a27db2e6f76eacdb64428d11cbe6f) +--- + src/security/apparmor/libvirt-qemu | 2 +- + src/security/virt-aa-helper.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index 8e4c3ab808..91dc8aacf8 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -91,7 +91,7 @@ + /usr/share/proll/** r, + /usr/share/qemu-efi/** r, + /usr/share/qemu-kvm/** r, +- /usr/share/qemu/** r, ++ /usr/share/qemu/** rk, + /usr/share/seabios/** r, + /usr/share/sgabios/** r, + /usr/share/slof/** r, +diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c +index 6401690f5a..49a9ee9db8 100644 +--- a/src/security/virt-aa-helper.c ++++ b/src/security/virt-aa-helper.c +@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly) + "/usr/share/AAVMF/", /* for AAVMF images */ + "/usr/share/qemu-efi/", /* for AAVMF images */ + "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */ ++ "/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */ + "/usr/lib/u-boot/", /* u-boot loaders for qemu */ + "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */ + "/usr/share/qemu/" /* SUSE path for OVMF and AAVMF images */ +-- +2.39.2 + diff --git a/libvirt.changes b/libvirt.changes index 8ff1936..9675186 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Mar 2 23:11:37 UTC 2023 - James Fehlig + +- Apparmor: Add support for SUSE edk2 firmware paths + 4959490e-support-SUSE-edk2-firmware-paths.patch + boo#1208567 + ------------------------------------------------------------------- Wed Mar 1 20:58:57 UTC 2023 - James Fehlig diff --git a/libvirt.spec b/libvirt.spec index 80f5581..b1d33e2 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -303,6 +303,7 @@ Source6: libvirtd-relocation-server.xml Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: 4959490e-support-SUSE-edk2-firmware-paths.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch