On Tue, Jun 4, 2024 at 1:17 PM Miroslav Los via Devel
<devel@xxxxxxxxxxxxxxxxx> wrote:
>
> Since libvirt commit 3ef9b51b10e52886e8fe8d75e36d0714957616b7,
> the pflash storage for the os loader file follows its read-only flag,
> and qemu tries to open the file for writing if set so.
>
> This patches virt-aa-helper to generate the VM's AppArmor rules
> that allow this, using the same domain definition flag and default.
>
> Signed-off-by: Miroslav Los <mirlos@xxxxxxxxx>
> ---
> src/security/virt-aa-helper.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 0374581f07..2f57664a4c 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1001,9 +1001,14 @@ get_files(vahControl * ctl)
> if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
> goto cleanup;
>
> - if (ctl->def->os.loader && ctl->def->os.loader->path)
> - if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
> + if (ctl->def->os.loader && ctl->def->os.loader->path) {
> + bool readonly = false;
> + virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
> + if (vah_add_file(&buf,
> + ctl->def->os.loader->path,
> + readonly ? "rk" : "rwk") != 0)
Not tested, but the approach looks totally reasonable and in line with
the usual virt-aa-helper handling of such cases.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> goto cleanup;
> + }
>
> if (ctl->def->os.loader && ctl->def->os.loader->nvram) {
> if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)
> --
> 2.25.1
--
Christian Ehrhardt
Director of Engineering, Ubuntu Server
Canonical Ltd
