From: intrigeri <intrigeri@xxxxxxxxxx> We forbid access to /usr/share/, but (at least on Debian-based systems) the Open Virtual Machine Firmware files needed for booting UEFI virtual machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add that directory to the list of read only paths. A similar patch was suggested by Jamie Strandboge <jamie@xxxxxxxxxxxxx> on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071. --- src/security/virt-aa-helper.c | 3 ++- tests/virt-aa-helper-test | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8e01bf6..f163fe7 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -572,7 +572,8 @@ valid_path(const char *path, const bool readonly) "/boot/", "/vmlinuz", "/initrd", - "/initrd.img" + "/initrd.img", + "/usr/share/ovmf/" /* for OVMF images */ }; /* override the above with these */ const char * const override[] = { diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index caf2f97..1d03f5f 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -291,6 +291,15 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm touch "$tmpdir/kernel" testme "0" "kernel" "-r -u $valid_uuid" "$test_xml" +if [ -f /usr/share/ovmf/OVMF.fd ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml" + testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" +else + echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd" +fi + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" testme "0" "initrd" "-r -u $valid_uuid" "$test_xml" -- 2.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list