security: AppArmor allow write when os loader readonly=no

Since libvirt commit 3ef9b51b10,
the pflash storage for the os loader file follows its read-only flag,
and qemu tries to open the file for writing if set so.

This patches virt-aa-helper to generate the VM's AppArmor rules
that allow this, using the same domain definition flag and default.

Signed-off-by: Miroslav Los <mirlos@cisco.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
This commit is contained in:
Miroslav Los 2024-06-04 11:10:59 +00:00 committed by Andrea Bolognani
parent 65b54e791f
commit c019350a76

View File

@ -1002,9 +1002,14 @@ get_files(vahControl * ctl)
if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
goto cleanup;
if (ctl->def->os.loader && ctl->def->os.loader->path)
if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
if (ctl->def->os.loader && ctl->def->os.loader->path) {
bool readonly = false;
virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
if (vah_add_file(&buf,
ctl->def->os.loader->path,
readonly ? "rk" : "rwk") != 0)
goto cleanup;
}
if (ctl->def->os.loader && ctl->def->os.loader->nvram) {
if (storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0)