On Fri, Sep 30, 2022 at 6:37 PM Jim Fehlig <jfehlig@xxxxxxxx> wrote: > > On 9/29/22 23:43, Christian Ehrhardt wrote: > > On Thu, Sep 29, 2022 at 11:30 PM Jim Fehlig <jfehlig@xxxxxxxx> wrote: > >> > >> On 9/28/22 06:45, christian.ehrhardt@xxxxxxxxxxxxx wrote: > >>> From: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > >>> > >>> Riscv64 usually uses u-boot as external -kernel and a loader from > >>> the open implementation of RISC-V SBI. The paths for those binaries > >>> as packaged in Debian and Ubuntu are in paths which are usually > >>> forbidden to be added by the user under /usr/lib... > >> > >> Do you know if the path is configurable? > > > > Not on the libvirt stage, here it is > > a) whatever users specify as kernel/loader in guest XML > > b) (our) qemu 7.0 delivers it in the default paths for firmwares (that > > are already allowed in src/security/apparmor/libvirt-qemu, but you'd > > not want virt-aa-helper to complain on it still) > > > >> Are distros free to put those binaries where they choose? > > > > Well, in Debian/Ubuntu we'd still obey the FHS rules, but to some > > extent yes it could be in other places. > > > >> E.g. /usr/libexec or similar? > > > > The libexec folks are usually fedora/RH which do not care about > > apparmor that much, so we have historically not added those in code to > > keep it readable (static rules use @libexecdir@ replaced at build > > time). > > > > AFAICS you show to copy out the u-boot from the image [1] > > Which does not end up in a predictable path-prefix that I could add here. > > > > If you tell me that on Suse the paths for these binaries are different > > I'm more than happy to spin a v2 that also has your paths. > > Or you provide a follow up with that content once/if you've found a > > path that you'll regularly need. > > Thanks for the info. Let's go with the latter option. I'll send a follow up > patch if/when needed. Thanks for the review Michal, thanks for the discussion Jim. Since v8.8.0 is finalized we are open again and this LGTM so I pushed it to the main branch. > Regards, > Jim -- Christian Ehrhardt Senior Staff Engineer, Ubuntu Server Canonical Ltd