virt-aa-helper, apparmor: allow /usr/share/OVMF/ too

The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for
some reason. Let the virtual machine read both.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

examples/apparmor/libvirt-qemu

@@ -70,6 +70,7 @@
   /usr/share/vgabios/** r,
   /usr/share/seabios/** r,
   /usr/share/ovmf/** r,
+  /usr/share/OVMF/** r,
 
   # access PKI infrastructure
   /etc/pki/libvirt-vnc/** r,

src/security/virt-aa-helper.c

@@ -512,6 +512,7 @@ valid_path(const char *path, const bool readonly)
         "/vmlinuz",
         "/initrd",
         "/initrd.img",
+        "/usr/share/OVMF/",              /* for OVMF images */
         "/usr/share/ovmf/"               /* for OVMF images */
     };
     /* override the above with these */

tests/virt-aa-helper-test

@@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then
         -e "s,###DISK###,$disk1,g" \
         -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
     testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
+elif [ -f /usr/share/OVMF/OVMF.fd ]; then
+    sed -e "s,###UUID###,$uuid,g"  \
+        -e "s,###DISK###,$disk1,g" \
+        -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
+    testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
 else
-    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
+    echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd"
 fi
 
 sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml"