On 7/9/24 04:04, Michal Privoznik wrote:
When generating paths for a domain specific AppArmor profile each path undergoes a validation where it's matched against an array of well known prefixes (among other things). Now, for OVMF/AAVMF/... images we have a list and some entries have comments to which type of image the entry belongs to. For instance: "/usr/share/OVMF/", /* for OVMF images */ "/usr/share/AAVMF/", /* for AAVMF images */ But these comments are pretty useless. The path itself already gives away the image type. Drop them. Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
Reviewed-by: Jim Fehlig <jfehlig@xxxxxxxx>
--- src/security/virt-aa-helper.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index a3f85d26b0..c1e89dc6cf 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -475,15 +475,15 @@ valid_path(const char *path, const bool readonly) "/initrd", "/initrd.img", "/usr/share/edk2/", - "/usr/share/edk2-ovmf/", /* for OVMF images */
Short lived comment :-). Jim
- "/usr/share/OVMF/", /* for OVMF images */ - "/usr/share/ovmf/", /* for OVMF images */ - "/usr/share/AAVMF/", /* for AAVMF images */ + "/usr/share/edk2-ovmf/", + "/usr/share/OVMF/", + "/usr/share/ovmf/", + "/usr/share/AAVMF/", "/usr/share/qemu-efi/", /* for AAVMF images */ - "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */ + "/usr/share/qemu-efi-aarch64/", "/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */ - "/usr/lib/u-boot/", /* u-boot loaders for qemu */ - "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */ + "/usr/lib/u-boot/", + "/usr/lib/riscv64-linux-gnu/opensbi", }; /* override the above with these */ const char * const override[] = {