From 2f01cfdf05448513d150ff1914d3444161c531b9 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Fri, 21 Aug 2015 10:52:52 +0200 Subject: [PATCH] virt-aa-helper: allow access to /usr/share/ovmf/ We forbid access to /usr/share/, but (at least on Debian-based systems) the Open Virtual Machine Firmware files needed for booting UEFI virtual machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add that directory to the list of read only paths. A similar patch was suggested by Jamie Strandboge on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071. --- src/security/virt-aa-helper.c | 3 ++- tests/virt-aa-helper-test | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 8e01bf6e66..f163fe777c 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -572,7 +572,8 @@ valid_path(const char *path, const bool readonly) "/boot/", "/vmlinuz", "/initrd", - "/initrd.img" + "/initrd.img", + "/usr/share/ovmf/" /* for OVMF images */ }; /* override the above with these */ const char * const override[] = { diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index caf2f97ba9..1d03f5f4e0 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -291,6 +291,15 @@ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,$tm touch "$tmpdir/kernel" testme "0" "kernel" "-r -u $valid_uuid" "$test_xml" +if [ -f /usr/share/ovmf/OVMF.fd ]; then + sed -e "s,###UUID###,$uuid,g" \ + -e "s,###DISK###,$disk1,g" \ + -e "s,,/usr/share/ovmf/OVMF.fd,g" "$template_xml" > "$test_xml" + testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml" +else + echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd" +fi + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,$tmpdir/initrd,g" "$template_xml" > "$test_xml" touch "$tmpdir/initrd" testme "0" "initrd" "-r -u $valid_uuid" "$test_xml"