On 08/11/2015 02:37 PM, intrigeri wrote: > Hi, > > it seems that virt-aa-helper (the helper tool that dynamically > generates AppArmor profiles for libvirt VMs) does not add > /usr/share/ovmf/OVMF.fd to the list of allowed files when I have > (excerpt): > > <os> > <loader type='rom'>/usr/share/ovmf/OVMF.fd</loader> > </os> > > I have this: > > abstractions/libvirt-qemu: /usr/share/ovmf/** r, > > ... that was added to fix LP: #1074207. > > But I don't see any corresponding change to virt-aa-helper, and: > > libvirtd[28763]: internal error: Child process > (/usr/lib/libvirt/virt-aa-helper -p 0 -r -u > libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef) unexpected exit status > 1: virt-aa-helper: error: /usr/share/ovmf/OVMF.fd > virt-aa-helper: error: skipped restricted file > virt-aa-helper: error: invalid VM definition > libvirtd[28763]: internal error: cannot load AppArmor profile > 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef' > > Is there a fix we're missing on Debian, or is it missing on Ubuntu > as well? > It is missing in both Ubuntu and Debian. src/security/virt-aa-helper.c needs to update override[] in valid_path() to have '/usr/share/ovmf/'. I'll comment in the Ubuntu bug.
-- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
