On 9/29/22 23:43, Christian Ehrhardt wrote:
On Thu, Sep 29, 2022 at 11:30 PM Jim Fehlig <jfehlig@xxxxxxxx> wrote:
On 9/28/22 06:45, christian.ehrhardt@xxxxxxxxxxxxx wrote:
From: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Riscv64 usually uses u-boot as external -kernel and a loader from
the open implementation of RISC-V SBI. The paths for those binaries
as packaged in Debian and Ubuntu are in paths which are usually
forbidden to be added by the user under /usr/lib...
Do you know if the path is configurable?
Not on the libvirt stage, here it is
a) whatever users specify as kernel/loader in guest XML
b) (our) qemu 7.0 delivers it in the default paths for firmwares (that
are already allowed in src/security/apparmor/libvirt-qemu, but you'd
not want virt-aa-helper to complain on it still)
Are distros free to put those binaries where they choose?
Well, in Debian/Ubuntu we'd still obey the FHS rules, but to some
extent yes it could be in other places.
E.g. /usr/libexec or similar?
The libexec folks are usually fedora/RH which do not care about
apparmor that much, so we have historically not added those in code to
keep it readable (static rules use @libexecdir@ replaced at build
time).
AFAICS you show to copy out the u-boot from the image [1]
Which does not end up in a predictable path-prefix that I could add here.
If you tell me that on Suse the paths for these binaries are different
I'm more than happy to spin a v2 that also has your paths.
Or you provide a follow up with that content once/if you've found a
path that you'll regularly need.
Thanks for the info. Let's go with the latter option. I'll send a follow up
patch if/when needed.
Regards,
Jim
