A work-arround is to (ab)use the template file
/etc/apparmor.d/libvirt/TEMPLATE.qemu
---
profile LIBVIRT_TEMPLATE {
#include <abstractions/libvirt-qemu>
/var/lib/libvirt/qemu/nvram/*_VARS.fd rw,
}
---
I'm not too familiar with AppArmour, nor kvm/libvirt's security model,
but I assume the whole point of virt-aa-helper is to create custom per
VM apparmor profiles with domain specific file names, so *_VARS.fd is
technically insecure given all guest processes could in theory write to
the EFI/OVFM NVRAM image files and proper guest vs guest isolation
requires the fix in virt-aa-helper.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1483071
Title:
Error creating new VM with OVMF
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
