On 9/28/22 14:45, christian.ehrhardt@xxxxxxxxxxxxx wrote: > From: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > > Riscv64 usually uses u-boot as external -kernel and a loader from > the open implementation of RISC-V SBI. The paths for those binaries > as packaged in Debian and Ubuntu are in paths which are usually > forbidden to be added by the user under /usr/lib... > > People used to start riscv64 guests only manually via qemu cmdline, > but trying to encapsulate that via libvirt now causes failures when > starting the guest due to the apparmor isolation not allowing that: > virt-aa-helper: error: skipped restricted file > virt-aa-helper: error: invalid VM definition > > Explicitly allow the sub-paths used by u-boot-qemu and opensbi > under /usr/lib/ as readonly rules. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/security/virt-aa-helper.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> Michal
