When generating paths for a domain specific AppArmor profile each
path undergoes a validation where it's matched against an array
of well known prefixes (among other things). Now, for
OVMF/AAVMF/... images we have a list and some entries have
comments to which type of image the entry belongs to. For
instance:
"/usr/share/OVMF/", /* for OVMF images */
"/usr/share/AAVMF/", /* for AAVMF images */
But these comments are pretty useless. The path itself already
gives away the image type. Drop them.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/security/virt-aa-helper.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index a3f85d26b0..c1e89dc6cf 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -475,15 +475,15 @@ valid_path(const char *path, const bool readonly)
"/initrd",
"/initrd.img",
"/usr/share/edk2/",
- "/usr/share/edk2-ovmf/", /* for OVMF images */
- "/usr/share/OVMF/", /* for OVMF images */
- "/usr/share/ovmf/", /* for OVMF images */
- "/usr/share/AAVMF/", /* for AAVMF images */
+ "/usr/share/edk2-ovmf/",
+ "/usr/share/OVMF/",
+ "/usr/share/ovmf/",
+ "/usr/share/AAVMF/",
"/usr/share/qemu-efi/", /* for AAVMF images */
- "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */
+ "/usr/share/qemu-efi-aarch64/",
"/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */
- "/usr/lib/u-boot/", /* u-boot loaders for qemu */
- "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
+ "/usr/lib/u-boot/",
+ "/usr/lib/riscv64-linux-gnu/opensbi",
};
/* override the above with these */
const char * const override[] = {
--
2.44.2On 7/9/24 04:04, Michal Privoznik wrote:
> When generating paths for a domain specific AppArmor profile each
> path undergoes a validation where it's matched against an array
> of well known prefixes (among other things). Now, for
> OVMF/AAVMF/... images we have a list and some entries have
> comments to which type of image the entry belongs to. For
> instance:
>
> "/usr/share/OVMF/", /* for OVMF images */
> "/usr/share/AAVMF/", /* for AAVMF images */
>
> But these comments are pretty useless. The path itself already
> gives away the image type. Drop them.
>
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
> ---
> src/security/virt-aa-helper.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index a3f85d26b0..c1e89dc6cf 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -475,15 +475,15 @@ valid_path(const char *path, const bool readonly)
> "/initrd",
> "/initrd.img",
> "/usr/share/edk2/",
> - "/usr/share/edk2-ovmf/", /* for OVMF images */
Short lived comment :-).
Jim
> - "/usr/share/OVMF/", /* for OVMF images */
> - "/usr/share/ovmf/", /* for OVMF images */
> - "/usr/share/AAVMF/", /* for AAVMF images */
> + "/usr/share/edk2-ovmf/",
> + "/usr/share/OVMF/",
> + "/usr/share/ovmf/",
> + "/usr/share/AAVMF/",
> "/usr/share/qemu-efi/", /* for AAVMF images */
> - "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */
> + "/usr/share/qemu-efi-aarch64/",
> "/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */
> - "/usr/lib/u-boot/", /* u-boot loaders for qemu */
> - "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
> + "/usr/lib/u-boot/",
> + "/usr/lib/riscv64-linux-gnu/opensbi",
> };
> /* override the above with these */
> const char * const override[] = {
© 2016 - 2024 Red Hat, Inc.