- Apparmor: Add support for SUSE edk2 firmware paths

4959490e-support-SUSE-edk2-firmware-paths.patch boo#1208567 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=969
2023-03-02 23:20:42 +00:00 · 2023-03-02 23:20:42 +00:00 · e0dc60b804
commit e0dc60b804
parent 4e3b0799c4
3 changed files with 54 additions and 0 deletions
--- a/4959490e-support-SUSE-edk2-firmware-paths.patch
+++ b/4959490e-support-SUSE-edk2-firmware-paths.patch
@ -0,0 +1,46 @@
+From 4959490ed1356b8779868cfe16775ef5aef3cab7 Mon Sep 17 00:00:00 2001
+From: Jim Fehlig <jfehlig@suse.com>
+Date: Thu, 23 Feb 2023 11:02:46 -0700
+Subject: [PATCH] security: Add support for SUSE edk2 firmware paths
+
+SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu.
+Add support for this path in virt-aa-helper and allow locking files within
+the path in the libvirt qemu abstraction.
+
+Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Andrea Bolognani <abologna@redhat.com>
+(cherry picked from commit b94a82ce9a3a27db2e6f76eacdb64428d11cbe6f)
+---
+ src/security/apparmor/libvirt-qemu | 2 +-
+ src/security/virt-aa-helper.c      | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
+index 8e4c3ab808..91dc8aacf8 100644
+--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
+@@ -91,7 +91,7 @@
+   /usr/share/proll/** r,
+   /usr/share/qemu-efi/** r,
+   /usr/share/qemu-kvm/** r,
+-  /usr/share/qemu/** r,
+  /usr/share/qemu/** rk,
+   /usr/share/seabios/** r,
+   /usr/share/sgabios/** r,
+   /usr/share/slof/** r,
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 6401690f5a..49a9ee9db8 100644
+--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
+@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
+         "/usr/share/AAVMF/",                 /* for AAVMF images */
+         "/usr/share/qemu-efi/",              /* for AAVMF images */
+         "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
+        "/usr/share/qemu/",                  /* SUSE path for OVMF and AAVMF images */
+         "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
+         "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
+         "/usr/share/qemu/"                   /* SUSE path for OVMF and AAVMF images */
+-- 
+2.39.2
+
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar  2 23:11:37 UTC 2023 - James Fehlig <jfehlig@suse.com>
+
+- Apparmor: Add support for SUSE edk2 firmware paths
+  4959490e-support-SUSE-edk2-firmware-paths.patch
+  boo#1208567
+
 -------------------------------------------------------------------
 Wed Mar  1 20:58:57 UTC 2023 - James Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -303,6 +303,7 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         4959490e-support-SUSE-edk2-firmware-paths.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch