From nobody Sun May 19 16:27:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com ARC-Seal: i=1; a=rsa-sha256; t=1664370499; cv=none; d=zohomail.com; s=zohoarc; b=nZcGno3jXhHIHwMEGstbbeT0kOYekgWViiPP3zp/iHyIH3VxXuAy+vuSC0x1nOOztpzmEKbncp5Usdex6pxlqG3E8WkaaSaFiD2oxMID1vG4UQpxXA1kLlzdVkb21zcEP3UVrT0gW/urN3w7XKlCTEu9MjVOFmMUozv6klVisYs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1664370499; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=1EVXAdkZSU6uaqT6fJuLWX1q5b90Lq/XQ3FVW5fqfWY=; b=erMQjSLFGxjavrlGrdOAKgxC1yBsKGkcjSjYtjrXMyftkDdv0giVVhqZ+s4/wdp0bWSDPd+Z1yWyTojdEpwn4D679Kr2Ff1u5Np/2JuZaPV5iQbZZ9i06goxiNnoiRYXakFL2l1V4boDDtVJbL5PQdLCcBRyTx6jog3TJDEpQ6M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1664370499120800.4989143412984; Wed, 28 Sep 2022 06:08:19 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-306-wnJ0L6vIPFW6z6urbUEyWg-1; Wed, 28 Sep 2022 09:08:13 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AA2181012462; Wed, 28 Sep 2022 13:08:11 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id CC43AC15BA5; Wed, 28 Sep 2022 13:08:09 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id AC3D71946A4F; Wed, 28 Sep 2022 13:08:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D7E5119465B1 for ; Wed, 28 Sep 2022 12:45:39 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id AE522C1912A; Wed, 28 Sep 2022 12:45:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8DC7DC1908E for ; Wed, 28 Sep 2022 12:45:39 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 718CA3C0F429 for ; Wed, 28 Sep 2022 12:45:39 +0000 (UTC) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-503-ztnHD0QNM4a8G_78iqNe-w-1; Wed, 28 Sep 2022 08:45:32 -0400 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 4764441474 for ; Wed, 28 Sep 2022 12:45:30 +0000 (UTC) Received: by mail-wm1-f71.google.com with SMTP id c130-20020a1c3588000000b003b56be513e1so617344wma.0 for ; Wed, 28 Sep 2022 05:45:30 -0700 (PDT) Received: from localhost.localdomain ([2a02:6d40:3a4b:da00:1460:5d4a:3055:fa5a]) by smtp.gmail.com with ESMTPSA id l7-20020a05600c4f0700b003b4c979e6bcsm1696847wmq.10.2022.09.28.05.45.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Sep 2022 05:45:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664370497; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=1EVXAdkZSU6uaqT6fJuLWX1q5b90Lq/XQ3FVW5fqfWY=; b=MdqRgr42yWkZX2gVtkVxL4Jk90kn/CoO9xcRw2Pw7J1V3CABSxxeXaHSTfJjUAGgN6gK5A dpJ0joJEhJKnzAjUFkk+NAQuRRvx4zZb3dDB+XKjL6wktuxzV+rIUm3rHA4qWS0LlrQ4lG dAX2sNlg/e/YJ3Zt1r6/g14tHLztAv8= X-MC-Unique: wnJ0L6vIPFW6z6urbUEyWg-1 X-Original-To: libvir-list@listman.corp.redhat.com X-MC-Unique: ztnHD0QNM4a8G_78iqNe-w-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=jhmlGZA71O/z1FtrPrMAcFpC5DOMb1F+Ya/AEWishac=; b=XNGGqszj5iev7bDq3HlMzAF5SFRm9qWir6jKLHStiavmURdqPb+i29uvtga5tI3MsJ NLPgs5YevI8JG5Ojy5HXo341Fyq9KjbZZHWqA5L1aNnbYiPIae8FG9UIzkcK3zNa55bw As6zMxO4zM2ojdMf/0ojlj8EY3fvkevhzdBuv6smU6IgTNXJsr0+9wLJUyUOq4aqfbQO oHLe3hiw+lOnFUDa2G5u9PwyrnaV7UvohlGmya15e0oxZqGZoITKE1kpUAT0+JMZlY8+ IjcanWePtCE5si8+aiTJxXXGSNIg05uNIRDUr5t48SHgOwaWUeesEvpIl7APIAC0JL2M ibfA== X-Gm-Message-State: ACrzQf0UcCAQX5AKSgA3p2fnCEEtOJuQG4eFTP4ClmLukalJ7e40EWYg S3qfIsFAdCzh4ofJ1/+133+bsO2jSVWpLQj28sVbXszpdQ6Q8GAxLNdAIOezYry0b5GaavnE1xO gC225k9ids8xZSL76f9jsJ4QvQoOFYkjE9g== X-Received: by 2002:a05:600c:1d2a:b0:3b4:6e31:92da with SMTP id l42-20020a05600c1d2a00b003b46e3192damr6421135wms.103.1664369129117; Wed, 28 Sep 2022 05:45:29 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6c4FYTxegljj/HwoLevazTAPCYF4GN1QzshkVManBlAkQt7cEcJcFfCQsbA9eHSvsv97Drbg== X-Received: by 2002:a05:600c:1d2a:b0:3b4:6e31:92da with SMTP id l42-20020a05600c1d2a00b003b46e3192damr6421114wms.103.1664369128843; Wed, 28 Sep 2022 05:45:28 -0700 (PDT) From: christian.ehrhardt@canonical.com To: libvir-list@redhat.com Subject: [PATCH] virt-aa-helper: allow common riscv64 loader paths Date: Wed, 28 Sep 2022 14:45:21 +0200 Message-Id: <20220928124521.266475-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrea Bolognani , Christian Ehrhardt Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1664370500494100001 Content-Type: text/plain; charset="utf-8"; x-default="true" From: Christian Ehrhardt Riscv64 usually uses u-boot as external -kernel and a loader from the open implementation of RISC-V SBI. The paths for those binaries as packaged in Debian and Ubuntu are in paths which are usually forbidden to be added by the user under /usr/lib... People used to start riscv64 guests only manually via qemu cmdline, but trying to encapsulate that via libvirt now causes failures when starting the guest due to the apparmor isolation not allowing that: virt-aa-helper: error: skipped restricted file virt-aa-helper: error: invalid VM definition Explicitly allow the sub-paths used by u-boot-qemu and opensbi under /usr/lib/ as readonly rules. Signed-off-by: Christian Ehrhardt Reviewed-by: Michal Privoznik --- src/security/virt-aa-helper.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index f338488da3..ceadaef99b 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly) "/initrd", "/initrd.img", "/usr/share/edk2/", - "/usr/share/OVMF/", /* for OVMF images */ - "/usr/share/ovmf/", /* for OVMF images */ - "/usr/share/AAVMF/", /* for AAVMF images */ - "/usr/share/qemu-efi/", /* for AAVMF images */ - "/usr/share/qemu-efi-aarch64/" /* for AAVMF images */ + "/usr/share/OVMF/", /* for OVMF images */ + "/usr/share/ovmf/", /* for OVMF images */ + "/usr/share/AAVMF/", /* for AAVMF images */ + "/usr/share/qemu-efi/", /* for AAVMF images */ + "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */ + "/usr/lib/u-boot/", /* u-boot loaders for qemu */ + "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation = */ }; /* override the above with these */ const char * const override[] =3D { --=20 2.37.3