From c019350a76d79405dd3e22d3023b71384f2924f2 Mon Sep 17 00:00:00 2001
From: Miroslav Los <mirlos@cisco.com>
Date: Tue, 4 Jun 2024 11:10:59 +0000
Subject: [PATCH] security: AppArmor allow write when os loader readonly=no

Since libvirt commit 3ef9b51b10e52886e8fe8d75e36d0714957616b7,
the pflash storage for the os loader file follows its read-only flag,
and qemu tries to open the file for writing if set so.

This patches virt-aa-helper to generate the VM's AppArmor rules
that allow this, using the same domain definition flag and default.

Signed-off-by: Miroslav Los <mirlos@cisco.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/virt-aa-helper.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index c1e89dc6cf..4d2b8ac4ab 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1002,9 +1002,14 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
             goto cleanup;
 
-    if (ctl->def->os.loader && ctl->def->os.loader->path)
-        if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
+    if (ctl->def->os.loader && ctl->def->os.loader->path) {
+        bool readonly = false;
+        virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+        if (vah_add_file(&buf,
+                         ctl->def->os.loader->path,
+                         readonly ? "rk" : "rwk") != 0)
             goto cleanup;
+    }
 
     if (ctl->def->os.loader && ctl->def->os.loader->nvram) {
         if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)