virt-aa-helper: allow access to /usr/share/ovmf/

We forbid access to /usr/share/, but (at least on Debian-based systems) the Open Virtual Machine Firmware files needed for booting UEFI virtual machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add that directory to the list of read only paths. A similar patch was suggested by Jamie Strandboge <jamie@canonical.com> on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071.
2024-07-03 16:42:37 +00:00 · 2015-08-21 10:52:52 +02:00 · 2015-08-21 10:52:52 +02:00 · 2f01cfdf05
commit 2f01cfdf05
parent d25a5e087a
2 changed files with 11 additions and 1 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -572,7 +572,8 @@ valid_path(const char *path, const bool readonly)
        "/boot/",
        "/vmlinuz",
        "/initrd",
-        "/initrd.img"
+        "/initrd.img",
+        "/usr/share/ovmf/"               /* for OVMF images */
    };
    /* override the above with these */
    const char * const override[] = {
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@ -291,6 +291,15 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<kernel>$tm
 touch "$tmpdir/kernel"
 testme "0" "kernel" "-r -u $valid_uuid" "$test_xml"

+if [ -f /usr/share/ovmf/OVMF.fd ]; then
+    sed -e "s,###UUID###,$uuid,g"  \
+        -e "s,###DISK###,$disk1,g" \
+        -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
+    testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
+else
+    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
+fi
+
 sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml"
 touch "$tmpdir/initrd"
 testme "0" "initrd" "-r -u $valid_uuid" "$test_xml"