On 9/28/22 06:45, christian.ehrhardt@xxxxxxxxxxxxx wrote:
From: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Riscv64 usually uses u-boot as external -kernel and a loader from
the open implementation of RISC-V SBI. The paths for those binaries
as packaged in Debian and Ubuntu are in paths which are usually
forbidden to be added by the user under /usr/lib...
Do you know if the path is configurable? Are distros free to put those binaries
where they choose? E.g. /usr/libexec or similar?
Regards,
Jim
People used to start riscv64 guests only manually via qemu cmdline,
but trying to encapsulate that via libvirt now causes failures when
starting the guest due to the apparmor isolation not allowing that:
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
Explicitly allow the sub-paths used by u-boot-qemu and opensbi
under /usr/lib/ as readonly rules.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
src/security/virt-aa-helper.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f338488da3..ceadaef99b 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly)
"/initrd",
"/initrd.img",
"/usr/share/edk2/",
- "/usr/share/OVMF/", /* for OVMF images */
- "/usr/share/ovmf/", /* for OVMF images */
- "/usr/share/AAVMF/", /* for AAVMF images */
- "/usr/share/qemu-efi/", /* for AAVMF images */
- "/usr/share/qemu-efi-aarch64/" /* for AAVMF images */
+ "/usr/share/OVMF/", /* for OVMF images */
+ "/usr/share/ovmf/", /* for OVMF images */
+ "/usr/share/AAVMF/", /* for AAVMF images */
+ "/usr/share/qemu-efi/", /* for AAVMF images */
+ "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */
+ "/usr/lib/u-boot/", /* u-boot loaders for qemu */
+ "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
};
/* override the above with these */
const char * const override[] = {
