From b94a82ce9a3a27db2e6f76eacdb64428d11cbe6f Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Thu, 23 Feb 2023 11:02:46 -0700 Subject: [PATCH] security: Add support for SUSE edk2 firmware paths SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu. Add support for this path in virt-aa-helper and allow locking files within the path in the libvirt qemu abstraction. Signed-off-by: Jim Fehlig Reviewed-by: Michal Privoznik Reviewed-by: Andrea Bolognani --- src/security/apparmor/libvirt-qemu | 2 +- src/security/virt-aa-helper.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index d0289b8943..9af1333b22 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -91,7 +91,7 @@ /usr/share/proll/** r, /usr/share/qemu-efi/** r, /usr/share/qemu-kvm/** r, - /usr/share/qemu/** r, + /usr/share/qemu/** rk, /usr/share/seabios/** r, /usr/share/sgabios/** r, /usr/share/slof/** r, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index f6c9703db6..d65d459850 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly) "/usr/share/AAVMF/", /* for AAVMF images */ "/usr/share/qemu-efi/", /* for AAVMF images */ "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */ + "/usr/share/qemu/", /* SUSE path for OVMF and AAVMF images */ "/usr/lib/u-boot/", /* u-boot loaders for qemu */ "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */ };