1. Patchew
  2. Libvirt
  3. [PATCH v2 0/7] Couple of apparmor fixes
  4. View patch

[PATCH v2 6/7] apparmor: Allow some more BIOS/UEFI paths

Michal Privoznik posted 7 patches 6 years ago
There is a newer version of this series
[PATCH v2 6/7] apparmor: Allow some more BIOS/UEFI paths
Posted by Michal Privoznik 6 years ago 
There are two more paths that we are missing in the default
domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
These exist on my Gentoo box and contain UEFI and BIOS images
respectively.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 2291829270..6942b83969 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -75,6 +75,7 @@
   # access to firmware's etc
   /usr/share/AAVMF/** r,
   /usr/share/bochs/** r,
+  /usr/share/edk2-ovmf/** r,
   /usr/share/kvm/** r,
   /usr/share/misc/sgabios.bin r,
   /usr/share/openbios/** r,
@@ -86,6 +87,7 @@
   /usr/share/qemu-kvm/** r,
   /usr/share/qemu/** r,
   /usr/share/seabios/** r,
+  /usr/share/sgabios/** r,
   /usr/share/slof/** r,
   /usr/share/vgabios/** r,
 
-- 
2.24.1
Re: [PATCH v2 6/7] apparmor: Allow some more BIOS/UEFI paths
Posted by Christian Ehrhardt 6 years ago 
On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <mprivozn@redhat.com>
wrote:

> There are two more paths that we are missing in the default
> domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
> These exist on my Gentoo box and contain UEFI and BIOS images
> respectively.
>
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>

Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>


> ---
>  src/security/apparmor/libvirt-qemu | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu
> b/src/security/apparmor/libvirt-qemu
> index 2291829270..6942b83969 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -75,6 +75,7 @@
>    # access to firmware's etc
>    /usr/share/AAVMF/** r,
>    /usr/share/bochs/** r,
> +  /usr/share/edk2-ovmf/** r,
>    /usr/share/kvm/** r,
>    /usr/share/misc/sgabios.bin r,
>    /usr/share/openbios/** r,
> @@ -86,6 +87,7 @@
>    /usr/share/qemu-kvm/** r,
>    /usr/share/qemu/** r,
>    /usr/share/seabios/** r,
> +  /usr/share/sgabios/** r,
>    /usr/share/slof/** r,
>    /usr/share/vgabios/** r,
>
> --
> 2.24.1
>
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH v2 6/7] apparmor: Allow some more BIOS/UEFI paths
Posted by Christian Ehrhardt 5 years, 12 months ago 
On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <mprivozn@redhat.com>
wrote:

> There are two more paths that we are missing in the default
> domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
> These exist on my Gentoo box and contain UEFI and BIOS images
> respectively.
>
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/security/apparmor/libvirt-qemu | 2 ++
>  1 file changed, 2 insertions(+)
>
>
Hi Michal,
You might already have abandoned this as I've seen other parts of the
series land (thanks for the dynamic paths now).But revisiting this I found
that they seem not needed.


> diff --git a/src/security/apparmor/libvirt-qemu
> b/src/security/apparmor/libvirt-qemu
> index 2291829270..6942b83969 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -75,6 +75,7 @@
>    # access to firmware's etc
>    /usr/share/AAVMF/** r,
>    /usr/share/bochs/** r,
> +  /usr/share/edk2-ovmf/** r,
>

At least on Debian/Ubuntu the multiple edk2 related cases are already
covered by

85342a3771b (Guido Günther    2014-04-07 12:15:02 +0200)
  /usr/share/ovmf/** r,
f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
  /usr/share/OVMF/** r,
f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
   /usr/share/AAVMF/** r,
f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
   /usr/share/qemu-efi/** r,


>    /usr/share/kvm/** r,
>    /usr/share/misc/sgabios.bin r,
>    /usr/share/openbios/** r,
> @@ -86,6 +87,7 @@
>    /usr/share/qemu-kvm/** r,
>    /usr/share/qemu/** r,
>    /usr/share/seabios/** r,
> +  /usr/share/sgabios/** r,
>

Again for Debian/Ubuntu this is already covered by:
987d1fdc535 (Guido Günther    2018-01-15 09:44:37 +0100)
  /usr/share/misc/sgabios.bin r,

I guess Suse would have mentioned if the paths would not have worked for
them.
Did you have another Distro which uses the paths that try to add here?


>    /usr/share/slof/** r,
>    /usr/share/vgabios/** r,
>


-- 
> 2.24.1
>
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH v2 6/7] apparmor: Allow some more BIOS/UEFI paths
Posted by Michal Privoznik 5 years, 12 months ago 
On 2/12/20 11:38 AM, Christian Ehrhardt wrote:
> 
> 
> On Thu, Jan 30, 2020 at 8:05 AM Michal Privoznik <mprivozn@redhat.com 
> <mailto:mprivozn@redhat.com>> wrote:
> 
>     There are two more paths that we are missing in the default
>     domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/.
>     These exist on my Gentoo box and contain UEFI and BIOS images
>     respectively.
> 
>     Signed-off-by: Michal Privoznik <mprivozn@redhat.com
>     <mailto:mprivozn@redhat.com>>
>     ---
>       src/security/apparmor/libvirt-qemu | 2 ++
>       1 file changed, 2 insertions(+)
> 
> 
> Hi Michal,
> You might already have abandoned this as I've seen other parts of the 
> series land (thanks for the dynamic paths now).But revisiting this I 
> found that they seem not needed.
> 
>     diff --git a/src/security/apparmor/libvirt-qemu
>     b/src/security/apparmor/libvirt-qemu
>     index 2291829270..6942b83969 100644
>     --- a/src/security/apparmor/libvirt-qemu
>     +++ b/src/security/apparmor/libvirt-qemu
>     @@ -75,6 +75,7 @@
>         # access to firmware's etc
>         /usr/share/AAVMF/** r,
>         /usr/share/bochs/** r,
>     +  /usr/share/edk2-ovmf/** r,
> 
> 
> At least on Debian/Ubuntu the multiple edk2 related cases are already 
> covered by
> 
> 85342a3771b (Guido Günther    2014-04-07 12:15:02 +0200)
>    /usr/share/ovmf/** r,
> f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
>    /usr/share/OVMF/** r,
> f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
>     /usr/share/AAVMF/** r,
> f9803f59148 (Guido Günther    2017-07-06 11:04:21 +0200)
>     /usr/share/qemu-efi/** r,
> 
>         /usr/share/kvm/** r,
>         /usr/share/misc/sgabios.bin r,
>         /usr/share/openbios/** r,
>     @@ -86,6 +87,7 @@
>         /usr/share/qemu-kvm/** r,
>         /usr/share/qemu/** r,
>         /usr/share/seabios/** r,
>     +  /usr/share/sgabios/** r,
> 
> 
> Again for Debian/Ubuntu this is already covered by:
> 987d1fdc535 (Guido Günther    2018-01-15 09:44:37 +0100)
>    /usr/share/misc/sgabios.bin r,
> 
> I guess Suse would have mentioned if the paths would not have worked for 
> them.
> Did you have another Distro which uses the paths that try to add here?


I'm not sure what you mean. The commit message says that Gentoo uses 
these paths. And indeed it does:

# qlist sys-firmware/edk2-ovmf | grep OVMF_CODE.fd
/usr/share/edk2-ovmf/OVMF_CODE.fd

# qlist sys-firmware/sgabios
/usr/share/sgabios/sgabios.bin

Are you saying that we should remove some other, pre-existing paths from 
the file?

Michal

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.