[apparmor] virt-aa-helper: does not support OVMF?

Jamie Strandboge jamie at canonical.com
Wed Aug 12 14:03:54 UTC 2015

On 08/11/2015 03:44 PM, Felix Geyer wrote:
> Hi,
> On 11.08.2015 22:32, Jamie Strandboge wrote:
>> It is missing in both Ubuntu and Debian. src/security/virt-aa-helper.c needs to
>> update override[] in valid_path() to have '/usr/share/ovmf/'. I'll comment in
>> the Ubuntu bug.
> Maybe I'm missing something but the blacklist in valid_path() seems overly paranoid.
> Allowing it to add read-only access to files from /usr/share should be harmless.
> Especially considering it can allow write access to /home, /root and /dev (yes, I know
> it has to).
valid_path() is checking for what is valid to add to the guests profile. It is
paranoid because guests should have only the most limited access to the host

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150812/070351e2/attachment.pgp>

More information about the AppArmor mailing list