1. Patchew
  2. Libvirt
  3. [PATCH v2 00/38] qemu: Implement support for uefi-vars device (varstore element)
  4. View patch

[PATCH v2 33/38] security: Mark ROMs as read only when using AppArmor

Andrea Bolognani via Devel posted 38 patches 12 hours ago
[PATCH v2 33/38] security: Mark ROMs as read only when using AppArmor
Posted by Andrea Bolognani via Devel 12 hours ago 
Before this, attempting to use a ROM that was not explictly
marked at read only resulted in an error at startup time.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/virt-aa-helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f4ec6b7826..3ac4740fb5 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1021,7 +1021,15 @@ get_files(vahControl * ctl)
 
     if (ctl->def->os.loader && ctl->def->os.loader->path) {
         bool readonly = false;
+
+        /* Look at the readonly attribute, but also keep in mind that ROMs
+         * are always loaded read-only regardless of whether the attribute
+         * is present. Validation ensures that nonsensical configurations
+         * (type=rom readonly=no) are rejected long before we get here */
         virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (ctl->def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_ROM)
+            readonly = true;
+
         if (vah_add_file(&buf,
                          ctl->def->os.loader->path,
                          readonly ? "rk" : "rwk") != 0) {
-- 
2.53.0

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.