Re: [PATCH 2/8] apparmor, virt-aa-helper: allow /usr/share/OVMF/ too

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19.05.2017 09:46, Guido Günther wrote:
> Hi Stefan,
> On Thu, May 18, 2017 at 10:53:40AM +0200, Stefan Bader wrote:
>> From: Simon McVittie <smcv@xxxxxxxxxx>
>>
>> The split firmware and variables files introduced by
>> https://bugs.debian.org/764918 are in a different directory for some reason.
>> Let the virtual machine read both.
>>
>> Extended by Christian Ehrhardt to generalize FW test (simplifies
>> additional testing on firmware files in future).
> 
> If you want to credit this separately I suggest to split the ode that
> itroduces testfw into one commit (attributed to Christian) and the code
> that adds read access to OVMF into another one (attributed to Simon).

Though Simon already added some testing (just limited to the one addition made
then). I guess I could re-submit Simon's patch as it was and create one
additionally which only changes the testing (for future use). Which then the
next (3/8) uses.

> 
> Cheers,
>  -- Guido
> 
>>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
>> Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
>> Acked-by: Guido Günther <agx@xxxxxxxxxxx>
>> ---
>>  examples/apparmor/libvirt-qemu |  1 +
>>  src/security/virt-aa-helper.c  |  1 +
>>  tests/virt-aa-helper-test      | 24 ++++++++++++++++--------
>>  3 files changed, 18 insertions(+), 8 deletions(-)
>>
>> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
>> index a9020aa..e0988bb 100644
>> --- a/examples/apparmor/libvirt-qemu
>> +++ b/examples/apparmor/libvirt-qemu
>> @@ -70,6 +70,7 @@
>>    /usr/share/vgabios/** r,
>>    /usr/share/seabios/** r,
>>    /usr/share/ovmf/** r,
>> +  /usr/share/OVMF/** r,
>>  
>>    # access PKI infrastructure
>>    /etc/pki/libvirt-vnc/** r,
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index d976a00..dd166c2 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
>>          "/vmlinuz",
>>          "/initrd",
>>          "/initrd.img",
>> +        "/usr/share/OVMF/",              /* for OVMF images */
>>          "/usr/share/ovmf/"               /* for OVMF images */
>>      };
>>      /* override the above with these */
>> diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
>> index 68e9399..73f3080 100755
>> --- a/tests/virt-aa-helper-test
>> +++ b/tests/virt-aa-helper-test
>> @@ -145,6 +145,20 @@ testme() {
>>      fi
>>  }
>>  
>> +testfw() {
>> +    title="$1"
>> +    fwpath="$2"
>> +
>> +    if [ -f "$fwpath" ]; then
>> +        sed -e "s,###UUID###,$uuid,g"  \
>> +            -e "s,###DISK###,$disk1,g" \
>> +            -e "s,</os>,<loader readonly='yes' type='pflash'>$fwpath</loader></os>,g" "$template_xml" > "$test_xml"
>> +        testme "0" "$title" "-r -u $valid_uuid" "$test_xml"
>> +    else
>> +        echo "Skipping FW $title test. Could not find $fwpath"
>> +    fi
>> +}
>> +
>>  # Expected failures
>>  echo "Expected failures:" >$output
>>  testme "1" "invalid arg" "-z"
>> @@ -291,14 +305,8 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
>>  touch "$tmpdir/kernel"
>>  testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"
>>  
>> -if [ -f /usr/share/ovmf/OVMF.fd ]; then
>> -    sed -e "s,###UUID###,$uuid,g"  \
>> -        -e "s,###DISK###,$disk1,g" \
>> -        -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
>> -    testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
>> -else
>> -    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
>> -fi
>> +testfw "ovmf (old path)" "/usr/share/ovmf/OVMF.fd"
>> +testfw "OVMF (new path)" "/usr/share/OVMF/OVMF_CODE.fd"
>>  
>>  sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml"
>>  touch "$tmpdir/initrd"
>> -- 
>> 2.7.4
>>
>> --
>> libvir-list mailing list
>> libvir-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/libvir-list
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 


Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux