From nobody Fri May 17 03:00:37 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=suse.com
ARC-Seal: i=1; a=rsa-sha256; t=1677176028; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mFc5hM7aP239gsxpybijJl4xtEWoq2v6JC9n9xpkRF3Vh2k0zB0ITMM6IwKnzNcb8AsYWwpKV8pgZTIdZw2p65u0cXIWyGwgUkArDskL1+2k8TSafejhwUFGr302QlxwnKm9xUhdHuNIk+itlmvl4uaytRif9nHLg+RdKv2plwk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1677176028;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=sU8Old28vgxGuMhD6lcAanMvRoMfa8/AYFdzZaKTL0o=;
	b=LvN7+m7IJHxJxvRWY+8fNftAQjpmTo3VBghl3DfOI7sMBT2ZxmDxj12pjODvwTbkkEuOeJWTLsvHYAY57z3/5aQt5DU9m7Wxdv6B8VcCsct0wz20uBqdINWHnwxpEie4PeCnMlQr6jAF3eyP2iwC1Ho5naYvzlI9/30SY8wmiDM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<jfehlig@suse.com> (p=quarantine dis=quarantine)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1677176028420818.4967345031566;
 Thu, 23 Feb 2023 10:13:48 -0800 (PST)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-615-E2W3A78qNFi41S_ssur9gw-1; Thu, 23 Feb 2023 13:13:43 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0C13229ABA1C;
	Thu, 23 Feb 2023 18:13:40 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AAE71440D9;
	Thu, 23 Feb 2023 18:13:37 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 67B7C19465B1;
	Thu, 23 Feb 2023 18:13:37 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id CADA619465A0 for <libvir-list@listman.corp.redhat.com>;
 Thu, 23 Feb 2023 18:13:36 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id AAE33C15BAD; Thu, 23 Feb 2023 18:13:36 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
 (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id A2D75C15BA0
 for <libvir-list@redhat.com>; Thu, 23 Feb 2023 18:13:36 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 806E93C14862
 for <libvir-list@redhat.com>; Thu, 23 Feb 2023 18:13:36 +0000 (UTC)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur04on2047.outbound.protection.outlook.com [40.107.8.47]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-210-BnvEre9LO_6Tpm8yoXNoUA-1; Thu, 23 Feb 2023 13:13:34 -0500
Received: from AM0PR04MB4899.eurprd04.prod.outlook.com (2603:10a6:208:c5::16)
 by DB8PR04MB6970.eurprd04.prod.outlook.com (2603:10a6:10:fa::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.19; Thu, 23 Feb
 2023 18:13:32 +0000
Received: from AM0PR04MB4899.eurprd04.prod.outlook.com
 ([fe80::32dd:b2a5:7522:c322]) by AM0PR04MB4899.eurprd04.prod.outlook.com
 ([fe80::32dd:b2a5:7522:c322%4]) with mapi id 15.20.6134.021; Thu, 23 Feb 2023
 18:13:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1677176027;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=sU8Old28vgxGuMhD6lcAanMvRoMfa8/AYFdzZaKTL0o=;
	b=f8aPrD4CamBglqpUUhyuRe/A4TI7MNRoa3kjKco+5ZlCBKJ9TC+XcPH19zu926TtKu8J0D
	heGTMsTfwnUUKuqIW8t9esObrTDgNjU8GAhMk6Z8oZZdR1Tg9Qg3pdsG9XddeXYakgSCHV
	2d3iZnC5+wG31NM2E299l2Pwh3srLfE=
X-MC-Unique: E2W3A78qNFi41S_ssur9gw-1
X-Original-To: libvir-list@listman.corp.redhat.com
X-MC-Unique: BnvEre9LO_6Tpm8yoXNoUA-1
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Subject: [PATCH] security: Add support for SUSE edk2 firmware paths
Date: Thu, 23 Feb 2023 11:13:28 -0700
Message-ID: <20230223181328.32253-1-jfehlig@suse.com>
X-ClientProxiedBy: FR3P281CA0176.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:a0::11) To AM0PR04MB4899.eurprd04.prod.outlook.com
 (2603:10a6:208:c5::16)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM0PR04MB4899:EE_|DB8PR04MB6970:EE_
X-MS-Office365-Filtering-Correlation-Id: 3bfa4688-6ae9-4629-79d3-08db15c9abbc
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: 
 hTZubJsDidF8biCbkhOwLaTvCX5PTeOFLmqDbj2SdGhlQxEGPWe8eq+OVaz3Y4h4MSs3QqX8PfGRy6AHyOT9YZVAAjahQu/q6uMa1FAO0byVdj3+M6I+VFFL5JvRHd14m1pn+QmW8ZQZ/1zQfxrrTMpk/RnDtTP70Zi3K0XyqhD40gtuMDZtV4LDy8dAXchL3XHX/EnOtv0feZuN2Fp/4hg3gAwod1lUllnawVqExQN01J2VkdA6sJNJAD2+3DkrqqmEbP4KGTr0C1xqTi6IfeiRggQVA8kB+QAFHB55MZWQ05a6U7bP9O7YrHM7J5+XOvPFrrjkj61jc5Vml141z2M2IdbElgyBoyLApZp80GVJ4bsva/JLnTGXgo76Ngn1S/EFYrAfrGh8hGH/uRTa9uFzfApEoLntq2XhJ9+ihOcCfPb7Kv6GbdfHayghtfRj0OuQENgBOtHyiNiIQsyUnH2/DTMHgpzKM3ObNsnjmrMMU4l2V1NLmhYIjOF7ukcV8nn6ztJidfuceRLF3q2b67ydpcg50q4AFROa9paFbm/PfxN0/eYAuHGaGd27iACqId8oDbt0qzT6ULkxw+bkxoMo3EMsVdB6zbCEggXtUsgclmgf/WJLb5nqpgxA8GlYSJd/nxge0g8rGCJ4YbLKPg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:AM0PR04MB4899.eurprd04.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230025)(396003)(376002)(366004)(136003)(346002)(39860400002)(451199018)(26005)(6486002)(186003)(66556008)(66946007)(66476007)(8936002)(8676002)(6916009)(5660300002)(83380400001)(6512007)(6506007)(6666004)(2616005)(1076003)(36756003)(478600001)(316002)(41300700001)(86362001)(38100700002)(15650500001)(2906002);
 DIR:OUT; SFP:1101
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?LqOdyI+DoJd9Nw1pQ9N0itLKNqMVFDdZUO1kkCxYYvMsKshYv2yzQR1xLxVM?=
 =?us-ascii?Q?CV3GWvgaVpU1CNSEYt8bhZBBy03I2COCNdJ3yJMIuyCqMxqE0uQpJD0CPX3X?=
 =?us-ascii?Q?2mphU6Q3cSc0gJpOT0J8OcDYMpvq0+vni86vK4mKCaMmZ4Ojr8vLgq1OX9TD?=
 =?us-ascii?Q?spsD1C1jduZl0bz4DLpSfOoauC1E/N+AI9Zt76cUg+4zn82fSKkZEvyN1TE1?=
 =?us-ascii?Q?V9hBSZMYtXwK93kgQBni2GtFzmTMXBMpOYk9w1faz1RuXQnr9iwAQkIqLRvO?=
 =?us-ascii?Q?gAr/aKMBm1a8uIC0AhRh+ZDv+4OJfxPFfK3XupAEKttr0bqajjNcDG17K1SM?=
 =?us-ascii?Q?X5Mp/EH8pxgEgpej32pNAHPbmZP6kcEZdxe4CRl3FPuDfDcCeTlzcQGGgwSM?=
 =?us-ascii?Q?vvpFgea/YrQys70PV37aljybpr0BLV6zPFOVmvhyvaJIR/LZYOzWFPnyjiVh?=
 =?us-ascii?Q?WPFdjA4rYKdFp7Qe4l9OhYFsVMTd+GUlburV5iEckgMGytke8I/p7tHhGl0L?=
 =?us-ascii?Q?CSwJwpTK2Ox7Sj6ogPukHxlIjsd5aF6uzm4WIN7PkMxrsVfJjI4myV+A/bba?=
 =?us-ascii?Q?+/Y5LKOYIwUbNkA5uoCmj22W741tf+uJsK6H3cxmnMNQW0pq5NoB84az2PU7?=
 =?us-ascii?Q?UOrvgZLx4FxvCdMbCBpaztU7XvXnk4sS7M6u3Ga4URL6QrDXWZT2Hx0KI69X?=
 =?us-ascii?Q?Dyl2Xaxymtil9d6eJz4GwImlzZ7RK994vjCH/XaZDIV9AWj28/oa3xoFY6/x?=
 =?us-ascii?Q?YMXAVp+8TS7h1WsodJf9px6t41wTs1dlsn++ZT6m+k+eUiDDC4eVFibeir/R?=
 =?us-ascii?Q?9KJJuBgaNU4EBy9nSM8qEfGP3UjFkk8sm7O4NbXFgJOLZ1sG2T5onZ96Ep00?=
 =?us-ascii?Q?gVHhoY/iUV9+S71PqFXJhdA3sbJqfFq7OLSjM7HWxlgA4s98ew11qC6wlp5S?=
 =?us-ascii?Q?Yy6C42MVBMN+Wl4VA/NJ0/8wvu7082c5jt7HM9eMitH8+Zl3f8S5VKy/3xpn?=
 =?us-ascii?Q?IFWCM1OkzogUCFUL0vs5syh6D8xd70uNmbPPUFfIXTBCXuXp2Mipq0+t9pSm?=
 =?us-ascii?Q?+89v3BTIeVbbDOod/IgBQ8ZsTe0S2wY6SUVPNAVUBgbFPf24N603Sjd9wgtU?=
 =?us-ascii?Q?fDoS+Iv2J3eI00Wu6f/BOmQounliF4R/dWmql5WunUNjAX8S01Fo34AcGoW5?=
 =?us-ascii?Q?Sr3WtVND1r17N6ko1H2URWXWu63kqiMy+xl74T48QvVE80aZIo72M+iE3G/h?=
 =?us-ascii?Q?HHGg/bl+WIS8W8VnAfGr6OgTrsyz6UuT8MNAzDnVW6IlEQNLIyZIrPSI0M2f?=
 =?us-ascii?Q?9O1MNvAHA76talfsDFCdltiLXrz5PPDxYrhBRFB1Oo1FHQTvBiaATrMDixDR?=
 =?us-ascii?Q?q0xSgoy9qnuKszAVHCjA/z50zqGdzWMDUhAz3b5BZ6KEPFFsZzPGqt0389zg?=
 =?us-ascii?Q?8MJW6VXK/B9NYQGwbpQhqaK/IN+P2OeZ3PX9Aso7hLCsEjeHZ7I8CNdo6snL?=
 =?us-ascii?Q?S1X7YM5GWdySxWAf8cXONuNOKCSx/Azc9DofBeUF0R7O6MDCfml/yyC52ZkD?=
 =?us-ascii?Q?sQgUsRNzTWsXf24iVakI1HAM0yNxBfTER48fsXez?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 3bfa4688-6ae9-4629-79d3-08db15c9abbc
X-MS-Exchange-CrossTenant-AuthSource: AM0PR04MB4899.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Feb 2023 18:13:32.0047 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 3ceCXDJfNEz2w0o0lVM2YrZD7uhIlhaWUuqm5lSUaYtQJR54m5eZRZaFvu2TOjI3k7oY4rBKVLLnL08AhlT2vg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR04MB6970
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
 Definition; Similar Internal Domain=false;
 Similar Monitored External Domain=false; Custom External Domain=false;
 Mimecast External Domain=false; Newly Observed Domain=false;
 Internal User Name=false; Custom Display Name List=false;
 Reply-to Address Mismatch=false; Targeted Threat Dictionary=false;
 Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1677176030658100001
Content-Type: text/plain; charset="utf-8"

SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu.
Add support for this path in virt-aa-helper and allow locking files within
the path in the libvirt qemu abstraction.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

FYI, I'm fine maintaining this patch downstream if such distro-specific
change is unwanted upstream. I've already maintained the virt-aa-helper
hunk for several years.

 src/security/apparmor/libvirt-qemu | 2 +-
 src/security/virt-aa-helper.c      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index d0289b8943..9af1333b22 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -91,7 +91,7 @@
   /usr/share/proll/** r,
   /usr/share/qemu-efi/** r,
   /usr/share/qemu-kvm/** r,
-  /usr/share/qemu/** r,
+  /usr/share/qemu/** rk,
   /usr/share/seabios/** r,
   /usr/share/sgabios/** r,
   /usr/share/slof/** r,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f6c9703db6..d65d459850 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
         "/usr/share/AAVMF/",                 /* for AAVMF images */
         "/usr/share/qemu-efi/",              /* for AAVMF images */
         "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
+        "/usr/share/qemu/",                  /* SUSE path for OVMF and AAV=
MF images */
         "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
         "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation =
*/
     };
--=20
2.39.2