[apparmor] virt-aa-helper: does not support OVMF?
Jamie Strandboge
jamie at canonical.com
Tue Aug 11 20:32:29 UTC 2015
On 08/11/2015 02:37 PM, intrigeri wrote:
> Hi,
>
> it seems that virt-aa-helper (the helper tool that dynamically
> generates AppArmor profiles for libvirt VMs) does not add
> /usr/share/ovmf/OVMF.fd to the list of allowed files when I have
> (excerpt):
>
> <os>
> <loader type='rom'>/usr/share/ovmf/OVMF.fd</loader>
> </os>
>
> I have this:
>
> abstractions/libvirt-qemu: /usr/share/ovmf/** r,
>
> ... that was added to fix LP: #1074207.
>
> But I don't see any corresponding change to virt-aa-helper, and:
>
> libvirtd[28763]: internal error: Child process
> (/usr/lib/libvirt/virt-aa-helper -p 0 -r -u
> libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status
> 1: virt-aa-helper: error: /usr/share/ovmf/OVMF.fd
> virt-aa-helper: error: skipped restricted file
> virt-aa-helper: error: invalid VM definition
> libvirtd[28763]: internal error: cannot load AppArmor profile
> 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
>
> Is there a fix we're missing on Debian, or is it missing on Ubuntu
> as well?
>
It is missing in both Ubuntu and Debian. src/security/virt-aa-helper.c needs to
update override[] in valid_path() to have '/usr/share/ovmf/'. I'll comment in
the Ubuntu bug.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150811/eb3192df/attachment.pgp>
More information about the AppArmor
mailing list