Allows to load firmware in the qemu-efi-loongarch64 directory
Allows the binary qemu-system-loongarch64 to be run

This makes it impossible to run loongarch64 VMs when AppArmor is enabled

Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
---
 src/security/apparmor/libvirt-qemu.in | 1 +
 src/security/virt-aa-helper.c         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 694da26dea..c63077574e 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -144,6 +144,7 @@
   /usr/bin/qemu-system-hppa rmix,
   /usr/bin/qemu-system-i386 rmix,
   /usr/bin/qemu-system-lm32 rmix,
+  /usr/bin/qemu-system-loongarch64 rmix,
   /usr/bin/qemu-system-m68k rmix,
   /usr/bin/qemu-system-microblaze rmix,
   /usr/bin/qemu-system-microblazeel rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1cf9d7ad3d..94a28bf331 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
         "/usr/share/AAVMF/",
         "/usr/share/qemu-efi/",              /* for AAVMF images */
         "/usr/share/qemu-efi-aarch64/",
+        "/usr/share/qemu-efi-loongarch64/",
         "/usr/share/qemu-efi-riscv64/",
         "/usr/share/qemu/",                  /* SUSE path for OVMF and AAVMF images */
         "/usr/lib/u-boot/",
-- 
2.39.1

On Tue, Dec 17, 2024 at 08:29:17PM +0800, Xianglai Li wrote:
> apparmor: Allow running loongarch64 VMs on Debian 12

Nothing about this is specific to Debian 12. In fact, the
qemu-efi-loongarch64 package doesn't exist there at all. I'm also not
planning to backport this change.

> Allows to load firmware in the qemu-efi-loongarch64 directory
> Allows the binary qemu-system-loongarch64 to be run
>
> This makes it impossible to run loongarch64 VMs when AppArmor is enabled

s/impossible/possible/


With the commit message tweaked according to the above,

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>

and pushed.

-- 
Andrea Bolognani / Red Hat / Virtualization

Hi Andrea Bolognani :
> On Tue, Dec 17, 2024 at 08:29:17PM +0800, Xianglai Li wrote:
>> apparmor: Allow running loongarch64 VMs on Debian 12
> Nothing about this is specific to Debian 12. In fact, the
> qemu-efi-loongarch64 package doesn't exist there at all. I'm also not
> planning to backport this change.

Thank you very much for merging this patch!:-)
Let me explain this qemu-efi-loongarch64 question:
     On debian operating systems, loongarch UEFI bios is placed under
the /usr/share/qemu-efi-loongarch64 path.
And the loongarch64 UEFI bios package name is qemu-efi-loongarch64.
You can find it from the link below:
http://ftp.ports.debian.org/debian-ports/pool/main/e/edk2/
Software package naming and UEFI bios placement path are consistent with 
other architectures.

Thanks!
Xianglai.

>> Allows to load firmware in the qemu-efi-loongarch64 directory
>> Allows the binary qemu-system-loongarch64 to be run
>>
>> This makes it impossible to run loongarch64 VMs when AppArmor is enabled
> s/impossible/possible/
>
>
> With the commit message tweaked according to the above,
>
>    Reviewed-by: Andrea Bolognani <abologna@redhat.com>
>
> and pushed.
>

On Mon, Jan 06, 2025 at 10:52:51AM +0800, lixianglai wrote:
> > > apparmor: Allow running loongarch64 VMs on Debian 12
> >
> > Nothing about this is specific to Debian 12. In fact, the
> > qemu-efi-loongarch64 package doesn't exist there at all. I'm also not
> > planning to backport this change.
>
> Thank you very much for merging this patch!:-)
> Let me explain this qemu-efi-loongarch64 question:
>     On debian operating systems, loongarch UEFI bios is placed under
> the /usr/share/qemu-efi-loongarch64 path.
> And the loongarch64 UEFI bios package name is qemu-efi-loongarch64.
> You can find it from the link below:
> http://ftp.ports.debian.org/debian-ports/pool/main/e/edk2/
> Software package naming and UEFI bios placement path are consistent with
> other architectures.

I understand all this, and the changes are correct. I wouldn't have
merged the patch otherwise ;)

What I was pointing out is that in Debian *12* specifically there is
no qemu-efi-loongarch64 package yet: it was introduced later. So
claiming that this change will allow running loongarch64 VMs on
Debian *12* is not accurate, which is why I dropped that reference
from the commit message.

-- 
Andrea Bolognani / Red Hat / Virtualization

Allows to load firmware in the qemu-efi-loongarch64 directory
Allows the binary qemu-system-loongarch64 to be run

This makes it impossible to run loongarch64 VMs when AppArmor is enabled

Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
---
 src/security/apparmor/libvirt-qemu.in | 1 +
 src/security/virt-aa-helper.c         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
index 694da26dea..c63077574e 100644
--- a/src/security/apparmor/libvirt-qemu.in
+++ b/src/security/apparmor/libvirt-qemu.in
@@ -144,6 +144,7 @@
   /usr/bin/qemu-system-hppa rmix,
   /usr/bin/qemu-system-i386 rmix,
   /usr/bin/qemu-system-lm32 rmix,
+  /usr/bin/qemu-system-loongarch64 rmix,
   /usr/bin/qemu-system-m68k rmix,
   /usr/bin/qemu-system-microblaze rmix,
   /usr/bin/qemu-system-microblazeel rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1cf9d7ad3d..94a28bf331 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
         "/usr/share/AAVMF/",
         "/usr/share/qemu-efi/",              /* for AAVMF images */
         "/usr/share/qemu-efi-aarch64/",
+        "/usr/share/qemu-efi-loongarch64/",
         "/usr/share/qemu-efi-riscv64/",
         "/usr/share/qemu/",                  /* SUSE path for OVMF and AAVMF images */
         "/usr/lib/u-boot/",
-- 
2.39.1

ping

> Allows to load firmware in the qemu-efi-loongarch64 directory
> Allows the binary qemu-system-loongarch64 to be run
>
> This makes it impossible to run loongarch64 VMs when AppArmor is enabled
>
> Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
> ---
>   src/security/apparmor/libvirt-qemu.in | 1 +
>   src/security/virt-aa-helper.c         | 1 +
>   2 files changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
> index 694da26dea..c63077574e 100644
> --- a/src/security/apparmor/libvirt-qemu.in
> +++ b/src/security/apparmor/libvirt-qemu.in
> @@ -144,6 +144,7 @@
>     /usr/bin/qemu-system-hppa rmix,
>     /usr/bin/qemu-system-i386 rmix,
>     /usr/bin/qemu-system-lm32 rmix,
> +  /usr/bin/qemu-system-loongarch64 rmix,
>     /usr/bin/qemu-system-m68k rmix,
>     /usr/bin/qemu-system-microblaze rmix,
>     /usr/bin/qemu-system-microblazeel rmix,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 1cf9d7ad3d..94a28bf331 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
>           "/usr/share/AAVMF/",
>           "/usr/share/qemu-efi/",              /* for AAVMF images */
>           "/usr/share/qemu-efi-aarch64/",
> +        "/usr/share/qemu-efi-loongarch64/",
>           "/usr/share/qemu-efi-riscv64/",
>           "/usr/share/qemu/",                  /* SUSE path for OVMF and AAVMF images */
>           "/usr/lib/u-boot/",