security: Add support for SUSE edk2 firmware paths

SUSE installs edk2 firmwares for both x86_64 and aarch64 in /usr/share/qemu. Add support for this path in virt-aa-helper and allow locking files within the path in the libvirt qemu abstraction. Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2025-01-03 11:35:19 +00:00 · 2023-02-23 11:02:46 -07:00 · 2023-02-23 11:02:46 -07:00 · b94a82ce9a
commit b94a82ce9a
parent 6ecd218109
2 changed files with 2 additions and 1 deletions
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@ -91,7 +91,7 @@
  /usr/share/proll/** r,
  /usr/share/qemu-efi/** r,
  /usr/share/qemu-kvm/** r,
-  /usr/share/qemu/** r,
+  /usr/share/qemu/** rk,
  /usr/share/seabios/** r,
  /usr/share/sgabios/** r,
  /usr/share/slof/** r,
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -481,6 +481,7 @@ valid_path(const char *path, const bool readonly)
        "/usr/share/AAVMF/",                 /* for AAVMF images */
        "/usr/share/qemu-efi/",              /* for AAVMF images */
        "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
+        "/usr/share/qemu/",                  /* SUSE path for OVMF and AAVMF images */
        "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
        "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
    };