apparmor: Fix QEMU access for UEFI variable files

QEMU needs to read, write, and lock the NVRAM *.fd files with UEFI firmware. Fixes: https://bugs.debian.org/1006324 Fixes: https://launchpad.net/bugs/1962035 Signed-off-by: Martin Pitt <mpitt@debian.org> Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-01-03 03:25:20 +00:00 · 2022-02-25 14:07:30 +00:00 · 2022-02-25 14:07:30 +00:00 · 7aec69b7fb
commit 7aec69b7fb
parent 23ee41152e
1 changed files with 7 additions and 3 deletions
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@ -80,13 +80,13 @@
  # access to firmware's etc
  /usr/share/AAVMF/** r,
  /usr/share/bochs/** r,
-  /usr/share/edk2-ovmf/** r,
+  /usr/share/edk2-ovmf/** rk,
  /usr/share/kvm/** r,
  /usr/share/misc/sgabios.bin r,
  /usr/share/openbios/** r,
  /usr/share/openhackware/** r,
-  /usr/share/OVMF/** r,
-  /usr/share/ovmf/** r,
+  /usr/share/OVMF/** rk,
+  /usr/share/ovmf/** rk,
  /usr/share/proll/** r,
  /usr/share/qemu-efi/** r,
  /usr/share/qemu-kvm/** r,
@ -248,3 +248,7 @@
  # /sys/bus/nd/devices
  / r, # harmless on any lsb compliant system
  /sys/bus/nd/devices/{,**/} r,
+
+  # required for QEMU accessing UEFI nvram variables
+  owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
+  owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,